Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2020-01-14 13:31:37 2020-01-14 13:33:21 104 seconds Show Options Show Log
route = internet
procdump = 0
2020-01-14 13:31:51,015 [root] INFO: Date set to: 01-14-20, time set to: 13:31:51, timeout set to: 200
2020-01-14 13:31:51,108 [root] DEBUG: Starting analyzer from: C:\czhprqnxum
2020-01-14 13:31:51,108 [root] DEBUG: Storing results at: C:\BgpabSYJgx
2020-01-14 13:31:51,108 [root] DEBUG: Pipe server name: \\.\PIPE\jsCcabl
2020-01-14 13:31:51,108 [root] INFO: Analysis package "Extraction" has been specified.
2020-01-14 13:32:03,604 [root] DEBUG: Started auxiliary module Browser
2020-01-14 13:32:03,604 [root] DEBUG: Started auxiliary module Curtain
2020-01-14 13:32:03,604 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-01-14 13:32:06,957 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-01-14 13:32:06,957 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-01-14 13:32:06,973 [root] DEBUG: Started auxiliary module DigiSig
2020-01-14 13:32:06,973 [root] DEBUG: Started auxiliary module Disguise
2020-01-14 13:32:06,973 [root] DEBUG: Started auxiliary module Human
2020-01-14 13:32:06,973 [root] DEBUG: Started auxiliary module Screenshots
2020-01-14 13:32:06,973 [root] DEBUG: Started auxiliary module Sysmon
2020-01-14 13:32:06,973 [root] DEBUG: Started auxiliary module Usage
2020-01-14 13:32:06,973 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2020-01-14 13:32:06,973 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2020-01-14 13:32:06,990 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\QUOTE_93.EXE" with arguments "" with pid 884
2020-01-14 13:32:06,990 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:32:06,990 [lib.api.process] INFO: 32-bit DLL to inject is C:\czhprqnxum\dll\enHbxmHi.dll, loader C:\czhprqnxum\bin\TXtJVMu.exe
2020-01-14 13:32:07,005 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\jsCcabl.
2020-01-14 13:32:07,005 [root] DEBUG: Loader: Injecting process 884 (thread 1912) with C:\czhprqnxum\dll\enHbxmHi.dll.
2020-01-14 13:32:07,020 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:32:07,020 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\czhprqnxum\dll\enHbxmHi.dll.
2020-01-14 13:32:07,020 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-01-14 13:32:07,020 [root] DEBUG: Successfully injected DLL C:\czhprqnxum\dll\enHbxmHi.dll.
2020-01-14 13:32:07,020 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 884
2020-01-14 13:32:09,032 [lib.api.process] INFO: Successfully resumed process with pid 884
2020-01-14 13:32:09,032 [root] INFO: Added new process to list with pid: 884
2020-01-14 13:32:09,141 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:32:09,157 [root] DEBUG: Process dumps disabled.
2020-01-14 13:32:09,220 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-01-14 13:32:09,220 [root] INFO: Disabling sleep skipping.
2020-01-14 13:32:09,220 [root] INFO: Disabling sleep skipping.
2020-01-14 13:32:09,220 [root] INFO: Disabling sleep skipping.
2020-01-14 13:32:09,220 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2020-01-14 13:32:09,220 [root] INFO: Disabling sleep skipping.
2020-01-14 13:32:09,220 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x4a0000
2020-01-14 13:32:09,220 [root] DEBUG: Debugger initialised.
2020-01-14 13:32:09,220 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 884 at 0x74eb0000, image base 0x400000, stack from 0x186000-0x190000
2020-01-14 13:32:09,220 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\QUOTE_93.EXE".
2020-01-14 13:32:09,220 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2020-01-14 13:32:09,220 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:32:09,220 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x4096.
2020-01-14 13:32:09,220 [root] DEBUG: AddTrackedRegion: EntryPoint 0x12e4, Entropy 7.122131e+00
2020-01-14 13:32:09,220 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions.
2020-01-14 13:32:09,220 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-01-14 13:32:09,236 [root] INFO: Monitor successfully loaded in process with pid 884.
2020-01-14 13:32:09,329 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:32:09,329 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:32:09,329 [root] DEBUG: ProcessImageBase: EP 0x000012E4 image base 0x00400000 size 0x0 entropy 7.122131e+00.
2020-01-14 13:32:09,329 [root] DEBUG: ProtectionHandler: Adding region at 0x00570000 to tracked regions.
2020-01-14 13:32:09,329 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00570000) returned 0x00000000.
2020-01-14 13:32:09,329 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:32:09,329 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00570000) -> AllocationBase 0x00570000 RegionSize 0x24576.
2020-01-14 13:32:09,329 [root] DEBUG: AddTrackedRegion: New region at 0x00570000 size 0x6000 added to tracked regions.
2020-01-14 13:32:09,329 [root] DEBUG: ProtectionHandler: Address: 0x00570000 (alloc base 0x00570000), NumberOfBytesToProtect: 0x6000, NewAccessProtection: 0x20
2020-01-14 13:32:09,329 [root] DEBUG: ProtectionHandler: New code detected at (0x00570000), scanning for PE images.
2020-01-14 13:32:09,329 [root] DEBUG: DumpPEsInRange: Scanning range 0x570000 - 0x576000.
2020-01-14 13:32:09,329 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x570000-0x576000.
2020-01-14 13:32:09,329 [root] DEBUG: DumpPEsInRange: Scanning range 0x570000 - 0x576000.
2020-01-14 13:32:09,329 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x570000-0x576000.
2020-01-14 13:32:09,329 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00570000, TrackedRegion->RegionSize: 0x6000, thread 1912
2020-01-14 13:32:09,329 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xe0, Size=0x2, Address=0x00570000 and Type=0x1.
2020-01-14 13:32:09,345 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1912 type 1 at address 0x00570000, size 2 with Callback 0x74eb7510.
2020-01-14 13:32:09,345 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00570000
2020-01-14 13:32:09,345 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xe0, Size=0x4, Address=0x0057003C and Type=0x1.
2020-01-14 13:32:09,345 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1912 type 1 at address 0x0057003C, size 4 with Callback 0x74eb71a0.
2020-01-14 13:32:09,345 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0057003C
2020-01-14 13:32:09,345 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x00570000.
2020-01-14 13:32:09,375 [root] DEBUG: DLL loaded at 0x74E50000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-01-14 13:32:09,486 [root] DEBUG: ProtectionHandler: Address 0x00570000 already in tracked region at 0x00570000, size 0x6000
2020-01-14 13:32:09,486 [root] DEBUG: ProtectionHandler: Address: 0x00570000 (alloc base 0x00570000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2020-01-14 13:32:09,486 [root] DEBUG: ProtectionHandler: Increased region size at 0x00570000 to 0xa000.
2020-01-14 13:32:09,486 [root] DEBUG: ProtectionHandler: New code detected at (0x00570000), scanning for PE images.
2020-01-14 13:32:09,486 [root] DEBUG: DumpPEsInRange: Scanning range 0x570000 - 0x57a000.
2020-01-14 13:32:09,486 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x570000-0x57a000.
2020-01-14 13:32:09,486 [root] DEBUG: DumpPEsInRange: Scanning range 0x570000 - 0x57a000.
2020-01-14 13:32:09,486 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x570000-0x57a000.
2020-01-14 13:32:09,486 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00570000, TrackedRegion->RegionSize: 0xa000, thread 1912
2020-01-14 13:32:09,486 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xe0, Size=0x2, Address=0x00570000 and Type=0x1.
2020-01-14 13:32:09,486 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1912 type 1 at address 0x00570000, size 2 with Callback 0x74eb7510.
2020-01-14 13:32:09,486 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00570000
2020-01-14 13:32:09,486 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xe0, Size=0x4, Address=0x0057003C and Type=0x1.
2020-01-14 13:32:09,486 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1912 type 1 at address 0x0057003C, size 4 with Callback 0x74eb71a0.
2020-01-14 13:32:09,500 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0057003C
2020-01-14 13:32:09,500 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x00570000.
2020-01-14 13:32:09,720 [root] DEBUG: Allocation: 0x01DD0000 - 0x01DDF000, size: 0xf000, protection: 0x40.
2020-01-14 13:32:09,720 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:32:09,720 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:32:09,720 [root] DEBUG: ProcessImageBase: EP 0x000012E4 image base 0x00400000 size 0x0 entropy 7.137292e+00.
2020-01-14 13:32:09,720 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00570000.
2020-01-14 13:32:09,734 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x01DD0000, size: 0xf000.
2020-01-14 13:32:09,734 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x01DD0000) returned 0x00000000.
2020-01-14 13:32:09,734 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:32:09,734 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x01DD0000) -> AllocationBase 0x01DD0000 RegionSize 0x61440.
2020-01-14 13:32:09,734 [root] DEBUG: AddTrackedRegion: New region at 0x01DD0000 size 0xf000 added to tracked regions.
2020-01-14 13:32:09,734 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x01DD0000, TrackedRegion->RegionSize: 0xf000, thread 1912
2020-01-14 13:32:09,734 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00570000 to 0x01DD0000.
2020-01-14 13:32:09,734 [root] DEBUG: DumpPEsInRange: Scanning range 0x570000 - 0x57a000.
2020-01-14 13:32:09,734 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x570000-0x57a000.
2020-01-14 13:32:09,734 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00570000 - 0x0057A000.
2020-01-14 13:32:09,750 [root] DEBUG: DumpMemory: CAPE output file C:\BgpabSYJgx\CAPE\884_17129094739321314212020 successfully created, size 0x10000
2020-01-14 13:32:09,766 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x570000
2020-01-14 13:32:09,766 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00570000 size 0x10000.
2020-01-14 13:32:09,766 [root] DEBUG: DumpMemory: CAPE output file C:\BgpabSYJgx\CAPE\884_18538226649321314212020 successfully created, size 0xa000
2020-01-14 13:32:09,782 [root] INFO: Added new CAPE file to list with path: C:\BgpabSYJgx\CAPE\884_18538226649321314212020
2020-01-14 13:32:09,782 [root] DEBUG: DumpRegion: Dumped stack region from 0x00570000, size 0xa000.
2020-01-14 13:32:09,782 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00570000.
2020-01-14 13:32:09,782 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x570000 - 0x57a000.
2020-01-14 13:32:09,782 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xe0, Size=0x2, Address=0x01DD0000 and Type=0x1.
2020-01-14 13:32:09,782 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1912 type 1 at address 0x01DD0000, size 2 with Callback 0x74eb7510.
2020-01-14 13:32:09,782 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x01DD0000
2020-01-14 13:32:09,782 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xe0, Size=0x4, Address=0x01DD003C and Type=0x1.
2020-01-14 13:32:09,782 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1912 type 1 at address 0x01DD003C, size 4 with Callback 0x74eb71a0.
2020-01-14 13:32:09,782 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x01DD003C
2020-01-14 13:32:09,782 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x01DD0000 (size 0xf000).
2020-01-14 13:32:10,358 [root] DEBUG: DLL unloaded from 0x77BE0000.
2020-01-14 13:32:10,358 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0047BAE4 (thread 1912)
2020-01-14 13:32:10,358 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x01DD003C.
2020-01-14 13:32:10,358 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x610dd3e6 (at 0x01DD003C).
2020-01-14 13:32:10,358 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x01DD0000 and Type=0x0.
2020-01-14 13:32:10,358 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x01DD0000.
2020-01-14 13:32:10,358 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0047BAE4 (thread 1912)
2020-01-14 13:32:10,358 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x01DD0000.
2020-01-14 13:32:10,358 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x01DD0000 already exists for thread 1912 (process 884), skipping.
2020-01-14 13:32:10,375 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1dd0000: 0x41.
2020-01-14 13:32:10,375 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-01-14 13:32:10,375 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x01DD0000 (thread 1912)
2020-01-14 13:32:10,375 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x01DD0000 (allocation base 0x01DD0000).
2020-01-14 13:32:10,390 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x01DD0000, size 0xf000).
2020-01-14 13:32:10,390 [root] DEBUG: DumpPEsInRange: Scanning range 0x1dd0000 - 0x1ddf000.
2020-01-14 13:32:10,390 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1dd0000-0x1ddf000.
2020-01-14 13:32:10,390 [root] DEBUG: DumpMemory: CAPE output file C:\BgpabSYJgx\CAPE\884_78085011410321814212020 successfully created, size 0xf000
2020-01-14 13:32:10,390 [root] INFO: Added new CAPE file to list with path: C:\BgpabSYJgx\CAPE\884_78085011410321814212020
2020-01-14 13:32:10,390 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x01DD0000 (size 0xf000).
2020-01-14 13:32:10,390 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1dd0000 - 0x1ddf000.
2020-01-14 13:32:10,405 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x01DD0000.
2020-01-14 13:32:10,405 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x01DD003C.
2020-01-14 13:32:10,405 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x01DD0000.
2020-01-14 13:32:10,405 [root] DEBUG: set_caller_info: Adding region at 0x01DD0000 to caller regions list (kernel32::SetErrorMode).
2020-01-14 13:32:10,405 [root] DEBUG: set_caller_info: Caller at 0x01DD63CA in tracked regions.
2020-01-14 13:32:10,405 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:32:10,405 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:32:10,405 [root] DEBUG: ProcessImageBase: EP 0x000012E4 image base 0x00400000 size 0x0 entropy 7.137292e+00.
2020-01-14 13:32:10,405 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00570000.
2020-01-14 13:32:10,405 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DD0000.
2020-01-14 13:32:12,417 [root] DEBUG: DLL loaded at 0x759C0000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2020-01-14 13:32:12,512 [root] INFO: Announced 32-bit process name: QUOTE_93.EXE pid: 976
2020-01-14 13:32:12,512 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:32:12,512 [lib.api.process] INFO: 32-bit DLL to inject is C:\czhprqnxum\dll\enHbxmHi.dll, loader C:\czhprqnxum\bin\TXtJVMu.exe
2020-01-14 13:32:12,528 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\jsCcabl.
2020-01-14 13:32:12,542 [root] DEBUG: Loader: Injecting process 976 (thread 1244) with C:\czhprqnxum\dll\enHbxmHi.dll.
2020-01-14 13:32:12,542 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:32:12,542 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\czhprqnxum\dll\enHbxmHi.dll.
2020-01-14 13:32:12,542 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-01-14 13:32:12,542 [root] DEBUG: Successfully injected DLL C:\czhprqnxum\dll\enHbxmHi.dll.
2020-01-14 13:32:12,542 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 976
2020-01-14 13:32:12,542 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-01-14 13:32:12,559 [root] DEBUG: DLL unloaded from 0x00400000.
2020-01-14 13:32:12,559 [root] INFO: Announced 32-bit process name: QUOTE_93.EXE pid: 976
2020-01-14 13:32:12,559 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:32:12,559 [lib.api.process] INFO: 32-bit DLL to inject is C:\czhprqnxum\dll\enHbxmHi.dll, loader C:\czhprqnxum\bin\TXtJVMu.exe
2020-01-14 13:32:12,559 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\jsCcabl.
2020-01-14 13:32:12,559 [root] DEBUG: Loader: Injecting process 976 (thread 1244) with C:\czhprqnxum\dll\enHbxmHi.dll.
2020-01-14 13:32:12,559 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:32:12,559 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\czhprqnxum\dll\enHbxmHi.dll.
2020-01-14 13:32:12,573 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-01-14 13:32:12,573 [root] DEBUG: Successfully injected DLL C:\czhprqnxum\dll\enHbxmHi.dll.
2020-01-14 13:32:12,573 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 976
2020-01-14 13:32:12,573 [root] INFO: Announced 32-bit process name: QUOTE_93.EXE pid: 976
2020-01-14 13:32:12,573 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:32:12,573 [lib.api.process] INFO: 32-bit DLL to inject is C:\czhprqnxum\dll\enHbxmHi.dll, loader C:\czhprqnxum\bin\TXtJVMu.exe
2020-01-14 13:32:12,573 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\jsCcabl.
2020-01-14 13:32:12,573 [root] DEBUG: Loader: Injecting process 976 (thread 1244) with C:\czhprqnxum\dll\enHbxmHi.dll.
2020-01-14 13:32:12,573 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:32:12,573 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x0047AB69)
2020-01-14 13:32:12,573 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\czhprqnxum\dll\enHbxmHi.dll.
2020-01-14 13:32:12,573 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-01-14 13:32:12,573 [root] DEBUG: Successfully injected DLL C:\czhprqnxum\dll\enHbxmHi.dll.
2020-01-14 13:32:12,573 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 976
2020-01-14 13:32:12,589 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:32:12,589 [root] DEBUG: Process dumps disabled.
2020-01-14 13:32:12,589 [root] INFO: Disabling sleep skipping.
2020-01-14 13:32:12,589 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 884).
2020-01-14 13:32:12,589 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:32:12,589 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:32:12,589 [root] DEBUG: ProcessImageBase: EP 0x000012E4 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-01-14 13:32:12,589 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-01-14 13:32:12,589 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00570000.
2020-01-14 13:32:12,589 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2020-01-14 13:32:12,589 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DD0000.
2020-01-14 13:32:12,589 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x2f0000
2020-01-14 13:32:12,605 [root] INFO: Notified of termination of process with pid 884.
2020-01-14 13:32:12,605 [root] DEBUG: Debugger initialised.
2020-01-14 13:32:12,605 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 884).
2020-01-14 13:32:12,605 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 976 at 0x74eb0000, image base 0x400000, stack from 0x186000-0x190000
2020-01-14 13:32:12,605 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\QUOTE_93.EXE".
2020-01-14 13:32:12,605 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2020-01-14 13:32:12,605 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:32:12,605 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x4096.
2020-01-14 13:32:12,605 [root] DEBUG: AddTrackedRegion: EntryPoint 0x12e4, Entropy 7.122131e+00
2020-01-14 13:32:12,605 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions.
2020-01-14 13:32:12,605 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-01-14 13:32:12,621 [root] INFO: Added new process to list with pid: 976
2020-01-14 13:32:12,621 [root] INFO: Monitor successfully loaded in process with pid 976.
2020-01-14 13:32:12,621 [root] DEBUG: Allocation: 0x00300000 - 0x0030F000, size: 0xf000, protection: 0x40.
2020-01-14 13:32:12,621 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:32:12,621 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:32:12,637 [root] DEBUG: ProcessImageBase: EP 0x000012E4 image base 0x00400000 size 0x0 entropy 7.122131e+00.
2020-01-14 13:32:12,637 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00300000, size: 0xf000.
2020-01-14 13:32:12,637 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00300000) returned 0x00000000.
2020-01-14 13:32:12,637 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:32:12,637 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00300000) -> AllocationBase 0x00300000 RegionSize 0x61440.
2020-01-14 13:32:12,637 [root] DEBUG: AddTrackedRegion: New region at 0x00300000 size 0xf000 added to tracked regions.
2020-01-14 13:32:12,637 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00300000, TrackedRegion->RegionSize: 0xf000, thread 1244
2020-01-14 13:32:12,651 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc8, Size=0x2, Address=0x00300000 and Type=0x1.
2020-01-14 13:32:12,651 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1244 type 1 at address 0x00300000, size 2 with Callback 0x74eb7510.
2020-01-14 13:32:12,667 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00300000
2020-01-14 13:32:12,667 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc8, Size=0x4, Address=0x0030003C and Type=0x1.
2020-01-14 13:32:12,667 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1244 type 1 at address 0x0030003C, size 4 with Callback 0x74eb71a0.
2020-01-14 13:32:12,684 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0030003C
2020-01-14 13:32:12,698 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00300000 (size 0xf000).
2020-01-14 13:32:13,244 [root] DEBUG: DLL unloaded from 0x77BE0000.
2020-01-14 13:32:13,244 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0047BAE4 (thread 1244)
2020-01-14 13:32:13,244 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0030003C.
2020-01-14 13:32:13,260 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x610dd3e6 (at 0x0030003C).
2020-01-14 13:32:13,260 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x00300000 and Type=0x0.
2020-01-14 13:32:13,260 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00300000.
2020-01-14 13:32:13,260 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0047BAE4 (thread 1244)
2020-01-14 13:32:13,276 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00300000.
2020-01-14 13:32:13,276 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00300000 already exists for thread 1244 (process 976), skipping.
2020-01-14 13:32:13,276 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x300000: 0x41.
2020-01-14 13:32:13,276 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-01-14 13:32:13,276 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00300000 (thread 1244)
2020-01-14 13:32:13,276 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x00300000 (allocation base 0x00300000).
2020-01-14 13:32:13,276 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x00300000, size 0xf000).
2020-01-14 13:32:13,276 [root] DEBUG: DumpPEsInRange: Scanning range 0x300000 - 0x30f000.
2020-01-14 13:32:13,292 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x300000-0x30f000.
2020-01-14 13:32:13,308 [root] DEBUG: DumpMemory: CAPE output file C:\BgpabSYJgx\CAPE\976_201417760813321814212020 successfully created, size 0xf000
2020-01-14 13:32:13,308 [root] INFO: Added new CAPE file to list with path: C:\BgpabSYJgx\CAPE\976_201417760813321814212020
2020-01-14 13:32:13,308 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x00300000 (size 0xf000).
2020-01-14 13:32:13,308 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x300000 - 0x30f000.
2020-01-14 13:32:13,308 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00300000.
2020-01-14 13:32:13,322 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0030003C.
2020-01-14 13:32:13,338 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00300000.
2020-01-14 13:32:13,354 [root] DEBUG: set_caller_info: Adding region at 0x00300000 to caller regions list (kernel32::SetErrorMode).
2020-01-14 13:32:13,369 [root] DEBUG: set_caller_info: Caller at 0x003063CA in tracked regions.
2020-01-14 13:32:13,369 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:32:13,385 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:32:13,401 [root] DEBUG: ProcessImageBase: EP 0x000012E4 image base 0x00400000 size 0x0 entropy 7.122131e+00.
2020-01-14 13:32:13,401 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00300000.
2020-01-14 13:32:15,414 [root] DEBUG: DLL loaded at 0x759C0000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2020-01-14 13:32:15,476 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1000
2020-01-14 13:32:15,476 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x28bf4, NewAccessProtection: 0x20
2020-01-14 13:32:15,476 [root] DEBUG: ProtectionHandler: Increased region size at 0x00401000 to 0x29bf4.
2020-01-14 13:32:15,492 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x20.
2020-01-14 13:32:15,506 [root] DEBUG: ProcessImageBase: EP 0x0001B650 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-01-14 13:32:15,506 [root] DEBUG: ProcessImageBase: Modified entry point (0x0001B650) detected at image base 0x00400000 - dumping.
2020-01-14 13:32:15,506 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:32:15,506 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-01-14 13:32:15,506 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001B650.
2020-01-14 13:32:15,506 [root] DEBUG: CreateThread: Initialising breakpoints for thread 560.
2020-01-14 13:32:15,585 [root] DEBUG: Allocation: 0x20490000 - 0x20793000, size: 0x303000, protection: 0x40.
2020-01-14 13:32:15,615 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:32:15,631 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:32:15,631 [root] DEBUG: ProcessImageBase: EP 0x0001B650 image base 0x00400000 size 0x0 entropy 7.319126e+00.
2020-01-14 13:32:15,631 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00300000.
2020-01-14 13:32:15,631 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x20490000, size: 0x303000.
2020-01-14 13:32:15,631 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x20490000) returned 0x00000000.
2020-01-14 13:32:15,648 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:32:15,648 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x20490000) -> AllocationBase 0x20490000 RegionSize 0x3158016.
2020-01-14 13:32:15,648 [root] DEBUG: AddTrackedRegion: New region at 0x20490000 size 0x303000 added to tracked regions.
2020-01-14 13:32:15,663 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x20490000, TrackedRegion->RegionSize: 0x303000, thread 560
2020-01-14 13:32:15,663 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00300000 to 0x20490000.
2020-01-14 13:32:15,663 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1244.
2020-01-14 13:32:15,678 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1244.
2020-01-14 13:32:15,678 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x100, Size=0x2, Address=0x20490000 and Type=0x1.
2020-01-14 13:32:15,678 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 560 type 1 at address 0x20490000, size 2 with Callback 0x74eb7510.
2020-01-14 13:32:15,678 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x20490000
2020-01-14 13:32:15,678 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0x100, Size=0x4, Address=0x2049003C and Type=0x1.
2020-01-14 13:32:15,678 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 560 type 1 at address 0x2049003C, size 4 with Callback 0x74eb71a0.
2020-01-14 13:32:15,710 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x2049003C
2020-01-14 13:32:15,710 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x20490000 (size 0x303000).
2020-01-14 13:32:15,710 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00418379 (thread 560)
2020-01-14 13:32:15,710 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x20490000.
2020-01-14 13:32:15,726 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2020-01-14 13:32:15,726 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00418379 (thread 560)
2020-01-14 13:32:15,726 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x20490000.
2020-01-14 13:32:15,726 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2020-01-14 13:32:15,726 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x20490000: 0x20490000 0x2049003C 0x00000000 0x00000000
2020-01-14 13:32:15,726 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (1) at 0x2049003C already exists for thread 560 (process 976), skipping.
2020-01-14 13:32:15,726 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x2049003c (EIP = 0x418379)
2020-01-14 13:32:15,740 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x20490000: 0x4d.
2020-01-14 13:32:15,740 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-01-14 13:32:15,740 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00418379 (thread 560)
2020-01-14 13:32:15,740 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x2049003C.
2020-01-14 13:32:15,756 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x20490000: 0x20490000 0x2049003C 0x00000000 0x00000000
2020-01-14 13:32:15,772 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x2, Address=0x204900F0 and Type=0x1.
2020-01-14 13:32:15,772 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x4, Address=0x20490100 and Type=0x1.
2020-01-14 13:32:15,772 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x20490100.
2020-01-14 13:32:15,772 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00418379 (thread 560)
2020-01-14 13:32:15,772 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x2049003C.
2020-01-14 13:32:15,788 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-01-14 13:32:15,788 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00418379 (thread 560)
2020-01-14 13:32:15,803 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x2049003C.
2020-01-14 13:32:15,819 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-01-14 13:32:15,819 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00418379 (thread 560)
2020-01-14 13:32:15,819 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x2049003C.
2020-01-14 13:32:15,835 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-01-14 13:32:15,865 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00418379 (thread 560)
2020-01-14 13:32:15,865 [root] DEBUG: MagicWriteCallback: Breakpoint 0 at Address 0x204900F0.
2020-01-14 13:32:15,865 [root] DEBUG: GetHookCallerBase: thread 560 (handle 0x100), return address 0x004176CA, allocation base 0x00400000.
2020-01-14 13:32:15,881 [root] DEBUG: MagicWriteCallback: Not in a hooked function, setting callback in enter_hook() to catch next hook (return address 0x00400000).
2020-01-14 13:32:15,897 [root] DEBUG: MagicWriteCallback: Magic value not valid NT: 0xb (at 0x204900F0).
2020-01-14 13:32:15,897 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00418379 (thread 560)
2020-01-14 13:32:15,897 [root] DEBUG: MagicWriteCallback: Breakpoint 0 at Address 0x204900F0.
2020-01-14 13:32:15,897 [root] DEBUG: GetHookCallerBase: thread 560 (handle 0x100), return address 0x004176CA, allocation base 0x00400000.
2020-01-14 13:32:15,897 [root] DEBUG: MagicWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-01-14 13:32:15,897 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00418379 (thread 560)
2020-01-14 13:32:15,897 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x20490100.
2020-01-14 13:32:15,913 [root] DEBUG: GetHookCallerBase: thread 560 (handle 0x100), return address 0x004176CA, allocation base 0x00400000.
2020-01-14 13:32:15,913 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-01-14 13:32:15,913 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00418379 (thread 560)
2020-01-14 13:32:15,913 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x20490100.
2020-01-14 13:32:15,913 [root] DEBUG: GetHookCallerBase: thread 560 (handle 0x100), return address 0x004176CA, allocation base 0x00400000.
2020-01-14 13:32:15,927 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-01-14 13:32:15,927 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00418379 (thread 560)
2020-01-14 13:32:15,927 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x20490100.
2020-01-14 13:32:15,944 [root] DEBUG: GetHookCallerBase: thread 560 (handle 0x100), return address 0x004176CA, allocation base 0x00400000.
2020-01-14 13:32:15,944 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-01-14 13:32:15,944 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00418379 (thread 560)
2020-01-14 13:32:15,960 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x20490100.
2020-01-14 13:32:15,960 [root] DEBUG: GetHookCallerBase: thread 560 (handle 0x100), return address 0x004176CA, allocation base 0x00400000.
2020-01-14 13:32:15,960 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-01-14 13:32:25,553 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 976).
2020-01-14 13:32:25,599 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:32:25,631 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:32:25,631 [root] DEBUG: ProcessImageBase: EP 0x0001B650 image base 0x00400000 size 0x0 entropy 7.318904e+00.
2020-01-14 13:32:25,631 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00300000.
2020-01-14 13:32:25,677 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:32:25,772 [root] DEBUG: DumpPEsInRange: Scanning range 0x20490000 - 0x20793000.
2020-01-14 13:32:25,772 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x20490000
2020-01-14 13:32:25,819 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:32:25,865 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x20490000.
2020-01-14 13:32:25,865 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000.
2020-01-14 13:32:25,865 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x429bf4.
2020-01-14 13:32:25,881 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2020-01-14 13:32:25,911 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:32:25,911 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-01-14 13:32:25,911 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001B650.
2020-01-14 13:32:25,911 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400200-0x429bf4.
2020-01-14 13:32:25,911 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x00400000 - 0x00429BF4.
2020-01-14 13:32:25,927 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x00400000 - 0x00429BF4.
2020-01-14 13:32:25,927 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x400000 - 0x429bf4.
2020-01-14 13:32:25,927 [root] INFO: Added new CAPE file to list with path: C:\BgpabSYJgx\CAPE\976_125371292825321814212020
2020-01-14 13:32:25,944 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x133000.
2020-01-14 13:32:25,974 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x20610000
2020-01-14 13:32:25,974 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:32:25,974 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x20610000.
2020-01-14 13:32:26,022 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000.
2020-01-14 13:32:26,084 [root] INFO: Added new CAPE file to list with path: C:\BgpabSYJgx\CAPE\976_181743659226321814212020
2020-01-14 13:32:26,115 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x133000.
2020-01-14 13:32:26,161 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x20610200-0x20793000.
2020-01-14 13:32:26,209 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x20490000 - 0x20793000.
2020-01-14 13:32:26,256 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x20490000 - 0x20793000.
2020-01-14 13:32:26,256 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x20490000 - 0x20793000.
2020-01-14 13:32:26,270 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x204900F0.
2020-01-14 13:32:26,270 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-01-14 13:32:26,318 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-01-14 13:32:26,318 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x2049003C.
2020-01-14 13:32:26,365 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-01-14 13:32:26,411 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-01-14 13:32:26,457 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x20490100.
2020-01-14 13:32:26,505 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-01-14 13:32:26,505 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-01-14 13:32:26,552 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1244.
2020-01-14 13:32:26,552 [root] DEBUG: DLL unloaded from 0x77780000.
2020-01-14 13:32:26,552 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 976).
2020-01-14 13:32:26,598 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:32:26,645 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:32:26,691 [root] DEBUG: ProcessImageBase: EP 0x0001B650 image base 0x00400000 size 0x0 entropy 7.318904e+00.
2020-01-14 13:32:26,739 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00300000.
2020-01-14 13:32:26,786 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:32:26,832 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1244.
2020-01-14 13:32:26,832 [root] INFO: Notified of termination of process with pid 976.
2020-01-14 13:32:33,463 [root] INFO: Process list is empty, terminating analysis.
2020-01-14 13:32:34,819 [root] INFO: Created shutdown mutex.
2020-01-14 13:32:35,895 [root] INFO: Shutting down package.
2020-01-14 13:32:35,895 [root] INFO: Stopping auxiliary modules.
2020-01-14 13:32:35,927 [root] INFO: Finishing auxiliary modules.
2020-01-14 13:32:35,927 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-01-14 13:32:35,927 [root] WARNING: File at path "C:\BgpabSYJgx\debugger" does not exist, skip.
2020-01-14 13:32:35,973 [root] INFO: Analysis completed.

MalScore

9.5

Malicious

Machine

Name Label Manager Started On Shutdown On
target-04 target-04 ESX 2020-01-14 13:31:37 2020-01-14 13:33:19

File Details

File Name QUOTE_93.EXE
File Size 610304 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 000fcea6b4f208bdcab56a54a22bf5b6
SHA1 eeb2de9cc0c5b3760b390d060d50436f44086867
SHA256 69763bf2b9009fd0089ddfbee413ea4b233d6fc3ce3ecd831b2ef36251d6ed09
SHA512 b643fce44e8979105f040e9b1b9ec465ecfcd55aa6dc77b38581aabe65857f28af86ab7db4fd824d711566d408aa26653595eed7baf6e85daec27a126e847f6f
CRC32 5703761D
Ssdeep 12288:c7ELrG8xO8WJMvl0tegBBwJhOwoyvlsVWa:c7Ef1OtJMvCtlBBGToyO
TrID
  • 42.7% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 19.2% (.EXE) OS/2 Executable (generic) (2029/13)
  • 18.9% (.EXE) Generic Win/DOS Executable (2002/3)
  • 18.9% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 884 trigged the Yara rule 'embedded_win_api'
Hit: PID 884 trigged the Yara rule 'shellcode_patterns'
Hit: PID 976 trigged the Yara rule 'shellcode_get_eip'
NtSetInformationThread: attempt to hide thread from debugger
Possible date expiration check, exits too soon after checking local time
process: QUOTE_93.EXE, PID 976
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: shell32.DLL/ShellExecuteW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/CreateProcessInternalW
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: ntdll.dll/NtProtectVirtualMemory
DynamicLoader: ntdll.dll/DbgBreakPoint
DynamicLoader: ntdll.dll/DbgUiRemoteBreakin
DynamicLoader: ntdll.dll/NtSetInformationThread
DynamicLoader: ntdll.dll/NtAllocateVirtualMemory
DynamicLoader: ntdll.dll/NtGetContextThread
DynamicLoader: ntdll.dll/NtSetContextThread
DynamicLoader: USER32.dll/GetCursorPos
DynamicLoader: ntdll.dll/NtResumeThread
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/IsTNT
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: shell32.DLL/ShellExecuteW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/CreateProcessInternalW
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: ntdll.dll/NtProtectVirtualMemory
DynamicLoader: ntdll.dll/DbgBreakPoint
DynamicLoader: ntdll.dll/DbgUiRemoteBreakin
DynamicLoader: ntdll.dll/NtSetInformationThread
DynamicLoader: ntdll.dll/NtAllocateVirtualMemory
DynamicLoader: ntdll.dll/NtGetContextThread
DynamicLoader: ntdll.dll/NtSetContextThread
DynamicLoader: kernel32.dll/GetStartupInfoW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/TerminateThread
CAPE extracted potentially suspicious content
QUOTE_93.EXE: Extracted Shellcode
QUOTE_93.EXE: Extracted Shellcode
QUOTE_93.EXE: Extracted PE Image: 32-bit executable
QUOTE_93.EXE: Extracted PE Image: 32-bit DLL
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.21, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00092000, virtual_size: 0x00091094
Behavioural detection: Injection (Process Hollowing)
Injection: QUOTE_93.EXE(884) -> QUOTE_93.EXE(976)
Executed a process and injected code into it, probably while unpacking
Injection: QUOTE_93.EXE(884) -> QUOTE_93.EXE(976)

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\QUOTE_93.EXE.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\ntdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\QUOTE_93.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe7\x95\xa8\xc8\xa4EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Sans Serif
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe7\x95\xa8\xc8\xa4EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetTextExtentExPointWPri
kernel32.dll.NlsGetCacheUpdateCount
kernel32.dll.GetTickCount
kernel32.dll.Sleep
kernel32.dll.TerminateProcess
user32.dll.EnumWindows
kernel32.dll.SetErrorMode
kernel32.dll.SetLastError
kernel32.dll.CloseHandle
shell32.dll.ShellExecuteW
kernel32.dll.WriteFile
kernel32.dll.CreateFileW
kernel32.dll.VirtualProtectEx
kernel32.dll.CreateProcessInternalW
kernel32.dll.GetTempPathW
kernel32.dll.GetLongPathNameW
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
kernel32.dll.ExitThread
kernel32.dll.GetCurrentThread
ntdll.dll.NtProtectVirtualMemory
ntdll.dll.DbgBreakPoint
ntdll.dll.DbgUiRemoteBreakin
ntdll.dll.NtSetInformationThread
ntdll.dll.NtAllocateVirtualMemory
ntdll.dll.NtGetContextThread
ntdll.dll.NtSetContextThread
user32.dll.GetCursorPos
ntdll.dll.NtResumeThread
kernel32.dll.GetExitCodeProcess
kernel32.dll.GetStartupInfoW
kernel32.dll.CreateThread
kernel32.dll.TerminateThread
"C:\Users\user\AppData\Local\Temp\QUOTE_93.EXE"
Local\MSCTF.Asm.MutexDefault1

PE Information

Image Base 0x00400000
Entry Point 0x004012e4
Reported Checksum 0x0009deda
Actual Checksum 0x0009deda
Minimum OS Version 4.0
Compile Time 2003-04-13 18:01:57
Import Hash b4a7a6b9e69f14b4d729487af5abda91

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00091094 0x00092000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.21
.data 0x00093000 0x000018c8 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00095000 0x00000736 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.67

Imports

Library MSVBVM60.DLL:
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 __vbaFreeVar
0x40100c __vbaFreeVarList
0x401010 __vbaEnd
0x401014 _adj_fdiv_m64
0x401018 None
0x40101c None
0x401020 None
0x401024 _adj_fprem1
0x401028 None
0x401030 _adj_fdiv_m32
0x401034 __vbaAryVar
0x401038 __vbaAryDestruct
0x40103c None
0x401040 None
0x401044 _adj_fdiv_m16i
0x401048 _adj_fdivr_m16i
0x40104c None
0x401050 _CIsin
0x401054 None
0x401058 __vbaChkstk
0x40105c None
0x401060 EVENT_SINK_AddRef
0x401064 __vbaStrCmp
0x401068 __vbaAryConstruct2
0x40106c __vbaR4Str
0x401070 __vbaI2I4
0x401074 None
0x401078 _adj_fpatan
0x40107c EVENT_SINK_Release
0x401080 _CIsqrt
0x401088 __vbaExceptHandler
0x40108c _adj_fprem
0x401090 _adj_fdivr_m64
0x401094 None
0x401098 __vbaFPException
0x40109c _CIlog
0x4010a0 __vbaNew2
0x4010a4 None
0x4010a8 _adj_fdiv_m32i
0x4010ac _adj_fdivr_m32i
0x4010b0 __vbaStrCopy
0x4010b4 __vbaI4Str
0x4010b8 None
0x4010bc _adj_fdivr_m32
0x4010c0 _adj_fdiv_r
0x4010c4 None
0x4010c8 __vbaVarTstNe
0x4010cc __vbaVarDup
0x4010d0 __vbaFpI4
0x4010d4 _CIatan
0x4010d8 __vbaStrMove
0x4010dc __vbaAryCopy
0x4010e0 _allmul
0x4010e4 _CItan
0x4010e8 _CIexp
0x4010ec __vbaFreeStr
0x4010f0 __vbaFreeObj
0x4010f4 None

.text
`.data
.rsrc
MSVBVM60.DLL
immICCOVA
SUSPIRE8Unspokenly0
SUSPIRE8DRUID5
SUSPIRE8DRUID5
SUSPIRE8sedum
SUSPIRE8QUALMPROOF5
SUSPIRE8Protophyll
SUSPIRE8WORKSTATIONS
SUSPIRE8SERRIED
SUSPIRE8GANIATS
SUSPIRE8Accredited
SUSPIRE8astraphobia1
SUSPIRE8Terreneness5
SUSPIRE8Quasisympathetically6
Label1
SUSPIRE8Seifz
VB5!6&*
Tasae
immICCOVA
immICCOVA
immICCOVA
SUSPIRE8Unspokenly0
SUSPIRE8halfwild
SUSPIRE8unshadow7
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
SUSPIRE8Terreneness5
SUSPIRE8sedum
Label1
SUSPIRE8Accredited
SUSPIRE8SERRIED
SUSPIRE8Protophyll
SUSPIRE8Unspokenly03
VBA6.DLL
__vbaAryDestruct
__vbaAryVar
__vbaAryCopy
__vbaEnd
__vbaR4Str
__vbaI2I4
__vbaFreeVarList
__vbaI4Str
__vbaVarTstNe
__vbaStrCopy
__vbaFreeObj
__vbaNew2
__vbaFreeStr
__vbaStrMove
__vbaStrCmp
__vbaHresultCheckObj
__vbaFpI4
/__vbaFreeVar
__vbaVarDup
__vbaAryConstruct2
SUSPIRE8unshadow7
SUSPIRE8Keyage5
SUSPIRE8Keyage5
SUSPIRE8halfwild
SUSPIRE8underactor
0`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Id
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
ILgDh
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
``Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
ts]Fp}
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`ID
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IQu
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`E
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IT
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Iha
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
!+`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`;
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
uBb`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
J`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Il
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
r?0VJ_
^EL\W
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`u
'5s_]
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
cI6gM
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I&
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`)
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
V`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I"
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
F`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih]
#C`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih^[
z`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IR
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
U@`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
_bjv>?
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
qh-{`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
W`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IL
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
'h`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
cWB`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih3
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
s_x>,
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
7`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih>
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`H
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
RYEFD
zV`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
,6[Nl
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IG
~')25
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
]?J(L
82`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`c
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`2
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`S
6`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ihz
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
y*`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
<`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
-:5_z2,#J
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
w`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ihq
hV`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`U-
3]4o^
-``Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I$
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I&
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IP6p
A)ATP
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I2-k
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
U`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IM
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
n`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
*>aMPSa}
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
p`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IP
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
@`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IhM
i`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
{q<.V
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
aFwVU
o`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
{`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Io
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Iq
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
jQ8W_}CV
bPXl%
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
D5Cb'*
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
a>k=y
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ihc
Q`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I<t
s`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I7
dJJiZR
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ihx
%(`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
~`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`1
<7R|y
<j`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
t`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
"g`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
+h<OR
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`9D_{
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IV
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
$-`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`b
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I^
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I!
.`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
>J9r.
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IX
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
b`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
|`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
>Xr`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I24
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ihg
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
x<`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
yIU4=@L
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`~
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I#
J`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I\8
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I>
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`l
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
j`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
)`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih&<
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Is
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
2r`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`K
u!h~t
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
i`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`8
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
Cl0`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Im/
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
b!Frj
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I"
f`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I /
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
Hb62DN
EJc`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
``Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I=
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
%_uP`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
Mg\K'
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`J
O;|#p
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I?g
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ir
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ihi
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
=`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
;cyG_
i`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`1
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IoC
6`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
_R`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IhlRy
FK`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih+
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
u"wV`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`}9
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IqV
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
7`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ihz
%F$b0TP5
C`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`T
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih\
~Z`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I.]
6`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I>
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`0
90=`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`>
{`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IQ
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
{`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`L
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
Rv`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I:A/
j`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IS
Tl`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih\
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`_M
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`#L
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
)2X%p`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
H`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
([i:gX
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
^6%9
,`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih``u
JU@U<4'
$t`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
q_`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`w6,
F`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
G>/Rh
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IBZ9
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
fr`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
A4V \Be
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
-`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IB
M\>`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
?`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
*`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Y
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
3eZ4K
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
mmyZV1
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`>
q`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih#
}`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IR
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
b8`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
&X;:ZS
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I^S
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Iv
7%LFw
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
.'YPg5
H`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ix
]I`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
v`)R$@o
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
p~`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
W`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`ID
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`ID
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
#`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Is
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I.+?
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IOk
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I|I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IhE>@
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
y&X$>
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
.gG^F
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
o``Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I#
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
Q`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IU)E
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I0
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I|5
g$`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
w#`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I!
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ig
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I#O
p{yS*
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ip
U`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
55`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
0iv`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ij
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I<
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`A
4`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
%`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
I`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
X`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IA5
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I^
}/`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IhRc
E`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IhI
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I%
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I0
p=v(>
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
.KgD:
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I0}
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
)l2~[
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
=B`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Iy
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`II
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`JO$hr/
t`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I6
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
sQF`qP
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IE
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
S`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I}+
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
5`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I%|
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`~
*`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih[f
.`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`0
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
N&w6,
n(`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
L`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih,
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
gPbCe`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`@V4
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Y
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
z`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`D
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`r
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
q}r`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ik
X`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
5`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ig
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
^`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
5h*1re
_L 6HA
'E()gi?ZD
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
J`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih4g
cl`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Iv
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
!NiF
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IM
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
x=`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I%
SC6QH
|#`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
C`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
rxX{6
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I[
G;)my
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih:
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
@`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ihs
6`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
&9`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
qwJzn
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I[
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih8
*tvuL7,t
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I3
*H`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih)o
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
'`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I}
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
g`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
r`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I^d
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
%W`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih``
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
~.174
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
M%{E`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`R
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I{
i\gV\
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`ILp
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
k`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IhOcE
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
i"`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ic,
_`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Iq
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I6:
Tuj0_
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
N`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`lyA F
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`.<
J+`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Iq
U5l L
D`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`If
r@`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I.
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
W`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
j`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I*
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I!
R]`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`f
JC(\]
e`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih'[g
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IR
x`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
e`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
Uf`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
>&l]z
js`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ig
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`d
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
WE?i
;`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`IT
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih29&
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
y`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Iwo
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I!
/%qJN
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih
1C`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
q`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`I
0`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Iz
n}AcK
`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`Ih`y
/RhbQ
SUSPIRE8underactor
} jLhl#@
Ph\$@
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaFreeVar
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
_adj_fprem1
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryVar
__vbaAryDestruct
_adj_fdiv_m16i
_adj_fdivr_m16i
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaStrCmp
__vbaAryConstruct2
__vbaR4Str
__vbaI2I4
_adj_fpatan
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaI4Str
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarTstNe
__vbaVarDup
__vbaFpI4
_CIatan
__vbaStrMove
__vbaAryCopy
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
vZb8lor9bvwU8gFvsebRWjvtHyxp2jeDGGqr243
M2Yo177
kxG109
Double
u4FiPTUA3arcOj1G3Iy2l50gd7n8Uk5cmhx241
amYZ3rKVMZh2yBQmNmi5ApfghT229
SKT32a7btFAdjyRMHidmkDRCdfp4190
b27548S80
ok0LvOg5vbhNl7oZtQdOkzos7fowQ247
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
ProductName
immICCOVA
FileVersion
1.02.0007
ProductVersion
1.02.0007
InternalName
Tasae
OriginalFilename
Tasae.exe
This file is not on VirusTotal.

Process Tree


QUOTE_93.EXE, PID: 884, Parent PID: 1512
Full Path: C:\Users\user\AppData\Local\Temp\QUOTE_93.EXE
Command Line: "C:\Users\user\AppData\Local\Temp\QUOTE_93.EXE"
QUOTE_93.EXE, PID: 976, Parent PID: 884
Full Path: C:\Users\user\AppData\Local\Temp\QUOTE_93.EXE
Command Line: "C:\Users\user\AppData\Local\Temp\QUOTE_93.EXE"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Type Extracted Shellcode
Size 40960 bytes
Virtual Address 0x00570000
Process QUOTE_93.EXE
PID 884
Path C:\Users\user\AppData\Local\Temp\QUOTE_93.EXE
MD5 48ce8fa3bb29b3917afb9b63b80dc9ae
SHA1 cdb115677e11bf072a2ad98eb3d7e83aea1219bc
SHA256 0fdad7773ef5253e241e007dfda941d05908bac4bb304dabd72abcf07172df97
CRC32 CDCAA29D
Ssdeep 384:ezyeIMEZ/IvkBC/a0jNbM9wZTFRysbvV:ezMZkje9wRH5bt
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 61440 bytes
Virtual Address 0x01DD0000
Process QUOTE_93.EXE
PID 884
Path C:\Users\user\AppData\Local\Temp\QUOTE_93.EXE
MD5 cbd0d4b304436fc4a0372ef8de12e747
SHA1 51b2664f8cf646471472d2c6ad81df344a1c9855
SHA256 906e6e4a69196b0c56b203bd08848b7851fbce28be856873a92ca63ff051d42f
CRC32 F52B8ABC
Ssdeep 768:fDUe5IKVJNLbyGoTHdfwhhdqOdZvNr0Gnr3IMePcbI001me:dJ0THdYhgMFr0G06IUe
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode_patterns - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 32-bit executable
Size 1024 bytes
Virtual Address 0x00000000
Process QUOTE_93.EXE
PID 976
Path C:\Users\user\AppData\Local\Temp\QUOTE_93.EXE
MD5 0b636cfb28079b1cb165a8946fd776f8
SHA1 df168913e88ce2479d9afb710047f80c69da0458
SHA256 f828684f2a906dda825eefcae0021d933318f65e883763fba0124b535806a5a1
CRC32 9F2C0A98
Ssdeep 6:qRtPTD1/ll2vVg3F+X32C60OzcOM8gZuGdwC6h1Yn8lv/M:qLPTD9mGSGCfcSTZ1dwC6h1Yn8lHM
Yara
  • shellcode_get_eip - Match x86 that appears to fetch $PC.
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 32-bit DLL
Size 1257472 bytes
Virtual Address 0x00000000
Process QUOTE_93.EXE
PID 976
Path C:\Users\user\AppData\Local\Temp\QUOTE_93.EXE
MD5 1444846a79d288c321ac96236e7fd266
SHA1 a71e01472e46a171930b36fdd95d0cc73a61bddf
SHA256 38c05280b7ecec4ba30af8b2584b99edcf417bbcd636928cd2d308b981b29130
CRC32 3281E775
Ssdeep 24576:twSiY6yJJNC3GcO7xhInWYBE+GBgi4AcRAH:ctEJ43GccxbYB+4AcRAH
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 2.602 seconds )

  • 1.61 CAPE
  • 0.405 Static
  • 0.278 TargetInfo
  • 0.132 TrID
  • 0.079 BehaviorAnalysis
  • 0.053 Strings
  • 0.032 Deduplicate
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.074 seconds )

  • 0.012 antiav_detectreg
  • 0.008 ransomware_files
  • 0.005 infostealer_ftp
  • 0.004 antidbg_windows
  • 0.003 persistence_autorun
  • 0.003 stealth_timeout
  • 0.003 antiav_detectfile
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 NewtWire Behavior
  • 0.002 api_spamming
  • 0.002 decoy_document
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 antivm_vbox_libs
  • 0.001 rat_nanocore
  • 0.001 antiemu_wine_func
  • 0.001 betabot_behavior
  • 0.001 InjectionCreateRemoteThread
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 disables_browser_warn
  • 0.001 masquerade_process_name

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 121537
Mongo ID 5e1ddb24b84a07bce5476aef
Cuckoo release 1.3-CAPE
Delete