File SIWPortable_2011.10.29.paf.exe

Size 2.4MB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 de24d1197c268c68334f02a6a271fa1b
SHA1 f8d358ce3ccfdd4eb7c6365fb1dd3ca98d958046
SHA256 8f863dd7e40a15b3dc07bbd96c2dc49f76c0bb5c730e2b9ca4beb58b0c14b6b4
SHA512
12e6b32f0d70c60e9424bb491e973b1468cc7a65d260bd60b2696727d171a2464912149f5f275bcd6b345c8c7cd775a5099d0dfd26d87606fa8a04dfa17cc9be
CRC32 5EA18DE5
ssdeep 49152:U9zXvqeWMwWDkYp+aIaX3TauTcuYR/MNJjg3zBigV5a2/WBJKt:+iePhD55X3TdTcuY/MN8QqH/0JKt
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -

Score

This file shows numerous signs of malicious behavior.

The score of this file is 2.0 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Jan. 9, 2019, 10:28 a.m. Jan. 9, 2019, 10:32 a.m. 263 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-01-09 10:28:27 2019-01-09 10:32:47

Analyzer Log

2019-01-09 03:11:54,046 [analyzer] DEBUG: Starting analyzer from: C:\vaofkbpq
2019-01-09 03:11:54,062 [analyzer] DEBUG: Pipe server name: \\.\PIPE\abXmdHuECKezWKWJWScDEtWlUAwBol
2019-01-09 03:11:54,062 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\PqPjJVdpMoAvulUAnEjOfYM
2019-01-09 03:11:54,062 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-09 03:11:54,062 [analyzer] INFO: Automatically selected analysis package "exe"
2019-01-09 03:11:55,733 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-09 03:11:55,875 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:55,875 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:55,937 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-01-09 03:11:55,937 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-09 03:11:55,937 [analyzer] DEBUG: Started auxiliary module Human
2019-01-09 03:11:55,937 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-09 03:11:55,937 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-09 03:11:56,203 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-09 03:11:56,203 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-09 03:11:56,312 [lib.api.process] INFO: Successfully executed process from path u'C:\\DOCUME~1\\zamen\\LOCALS~1\\Temp\\SIWPortable_2011.10.29.paf.exe' with arguments '' and pid 1440
2019-01-09 03:11:56,405 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:56,405 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:56,530 [analyzer] DEBUG: Loaded monitor into process with pid 1440
2019-01-09 03:11:56,717 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsz2.tmp
2019-01-09 03:11:56,796 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\LangDLL.dll
2019-01-09 03:11:56,921 [analyzer] DEBUG: Received request to inject pid=1440, but we are already injected there.
2019-01-09 03:11:57,108 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-09 03:11:58,140 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\System.dll
2019-01-09 03:11:58,250 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\FindProcDLL.dll
2019-01-09 03:11:58,375 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\ioSpecial.ini
2019-01-09 03:11:58,375 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\modern-wizard.bmp
2019-01-09 03:11:58,467 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\modern-header.bmp
2019-01-09 03:11:58,500 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\InstallOptions.dll
2019-01-09 03:11:59,171 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:01,265 [modules.auxiliary.human] INFO: Found button "I &Agree", clicking it
2019-01-09 03:12:03,390 [modules.auxiliary.human] INFO: Found button "&Install", clicking it
2019-01-09 03:12:04,421 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\w7tbp.dll
2019-01-09 03:12:04,967 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\SIWPortable.exe
2019-01-09 03:12:05,187 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\help.html
2019-01-09 03:12:05,203 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\EULA.txt
2019-01-09 03:12:05,203 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appicon.ico
2019-01-09 03:12:05,217 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appicon_128.png
2019-01-09 03:12:05,217 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appicon_16.png
2019-01-09 03:12:05,233 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appicon_32.png
2019-01-09 03:12:05,233 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appinfo.ini
2019-01-09 03:12:05,250 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\DefaultData\siw_init.xml
2019-01-09 03:12:05,342 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\Data\PortableApps.comInstaller\license.ini
2019-01-09 03:12:05,515 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:07,578 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:09,640 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:11,703 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:13,765 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:15,828 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:17,890 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:19,953 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:22,015 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:24,078 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:26,140 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:28,203 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:30,265 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:32,328 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:34,390 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:36,453 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:38,515 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:40,578 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:42,640 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:44,703 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:46,765 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:48,828 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:50,890 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:52,953 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:55,015 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:57,078 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:12:59,140 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:01,203 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:03,265 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:05,328 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:07,390 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:09,453 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:11,515 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:13,578 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:15,640 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:17,703 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:19,765 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:21,828 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:23,890 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:25,953 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:28,015 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:30,078 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:32,140 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:34,203 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:36,265 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:38,328 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:40,390 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:42,453 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:44,515 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:46,578 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:48,640 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:50,703 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:52,765 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:54,828 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:56,890 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:13:58,953 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:01,015 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:03,078 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:05,140 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:07,203 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:09,265 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:11,328 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:13,390 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:15,467 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:17,530 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:19,592 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:21,655 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:23,717 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:25,796 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:27,858 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:29,921 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:31,983 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:34,046 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:36,108 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:38,171 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:40,233 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:42,312 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:44,375 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:46,437 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:48,500 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:50,562 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:52,640 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:54,703 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:56,780 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:14:58,842 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:00,905 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:02,967 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:05,030 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:07,092 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:09,155 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:11,217 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:13,280 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:15,342 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:17,405 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:19,467 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:21,530 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:23,592 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:25,655 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:27,717 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:29,780 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:31,842 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:33,905 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:35,967 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:38,030 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:40,092 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:42,155 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:44,217 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:46,280 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:48,342 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:50,405 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:52,467 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:54,530 [modules.auxiliary.human] INFO: Found button "&Run SIW Portable", clicking it
2019-01-09 03:15:55,437 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-09 03:15:55,437 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-09 03:15:55,437 [lib.api.process] INFO: Successfully terminated process with pid 1440.
2019-01-09 03:16:05,046 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temp\\nsz2.tmp'" does not exist, skip.
2019-01-09 03:16:05,108 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-09 10:28:26,834 [lib.cuckoo.core.scheduler] INFO: Task #621: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-01-09 10:28:27,197 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 4611 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/621/dump.pcap)
2019-01-09 10:28:30,163 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-01-09 10:32:46,910 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-01-09 10:34:31,875 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-09 10:34:42,064 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50f951d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 10:34:42,065 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50f95050>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 10:34:42,066 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50f95250>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 10:34:42,066 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50f951d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 10:34:42,067 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b50f951d0>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b50f951d0>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

This executable is signed
The executable has PE anomalies (could be a false positive) (1 event)
section .ndata
Allocates read-write-execute memory (usually to unpack itself) (2 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:11 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1440
process_handle: 0xffffffff
success 0 0
Jan. 9, 2019, 12:11 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1440
process_handle: 0xffffffff
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 5327288505729028
free_bytes_available: 213920999529775104
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable
total_number_of_bytes: 216172800966947938
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24103690240
free_bytes_available: 24103690240
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 0
free_bytes_available: 26761941483754
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable
total_number_of_bytes: 4296209312
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24103690240
free_bytes_available: 24103690240
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Creates executable files on the filesystem (6 events)
file C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\FindProcDLL.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\InstallOptions.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\SIWPortable.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\System.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\w7tbp.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\LangDLL.dll
The binary likely contains encrypted or compressed data. (3 events)
section {u'size_of_data': u'0x0001be00', u'virtual_address': u'0x00134000', u'entropy': 7.253324349213555, u'name': u'.rsrc', u'virtual_size': u'0x0001bd00'} entropy 7.25332434921 description A section with a high entropy has been found
section {u'size_of_data': u'0x00001000', u'virtual_address': u'0x00150000', u'entropy': 7.8650257965944945, u'name': u'.reloc', u'virtual_size': u'0x00000f8a'} entropy 7.86502579659 description A section with a high entropy has been found
entropy 0.745161290323 description Overall entropy of this PE file is high

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process SIWPortable_2011.10.29.paf.exe (1440)

  • Opened files

    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo
    • C:\WINDOWS\win.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable_2011.10.29.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\DefaultData
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\Other\Source
  • Written files

    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\FindProcDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appicon_128.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\InstallOptions.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\SIWPortable.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\Data\PortableApps.comInstaller\license.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsz2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\EULA.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\help.html
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\System.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appicon_32.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appicon_16.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\w7tbp.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\DefaultData\siw_init.xml
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\LangDLL.dll
  • Files Read

    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\Data\PortableApps.comInstaller\license.ini
    • C:\WINDOWS\win.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsz2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable_2011.10.29.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\ioSpecial.ini

Process SIWPortable_2011.10.29.paf.exe (1440)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels
    • HKEY_CLASSES_ROOT\Directory
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CLASSES_ROOT\Folder
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_LOCAL_MACHINE\System\WPA\PnP
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • Registry keys written

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\BaseClass
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\DriverCachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OsLoaderPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
    • HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP\seed
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackCachePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling

Process SIWPortable_2011.10.29.paf.exe (1440)

  • Mutexes accessed

    • MSCTF.Shared.MUTEX.EFG

Process SIWPortable_2011.10.29.paf.exe (1440)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\DefaultData
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\Data\PortableApps.comInstaller
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\Data
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp
  • Directories enumerated

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\PortableApps\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\Data\PortableApps.comInstaller\license.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\7zTemp\7z.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\PortableApps.com\PortableAppsPlatform.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\Other\*.*
    • C:\PortableApps
    • E:\PortableApps
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\7zTemp\7z.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\7zTemp

Process SIWPortable_2011.10.29.paf.exe (1440)

  • DLLs Loaded

    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsu3.tmp\System.dll
    • C:\WINDOWS\system32\SHELL32.dll
    • SHFOLDER
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsu3.tmp\w7tbp.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsu3.tmp\InstallOptions.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsu3.tmp\FindProcDLL.dll
    • browseui.dll
    • shell32.dll
    • UxTheme.dll
    • C:\WINDOWS\system32\browseui.dll
    • RichEd20
    • SHELL32.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsu3.tmp\LangDLL.dll
    • ole32.dll
    • SETUPAPI.dll
    • PSAPI.DLL

PE Compile Time

2012-02-24 14:19:59

Signing Certificate

MD5 db3a693e05b702d2f348238ce0c52a83
SHA1 3fcf94139392f321dc7a067d21ac7a04710b8942
Serial Number f1e362709e9545879ccfc63c3e7d085d
Common Name Topala Software Solutions
Country CA
Locality None

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00006f10 0x00007000 6.49788465186
.rdata 0x00008000 0x00002a92 0x00002c00 4.39389365097
.data 0x0000b000 0x00067ebc 0x00000200 1.472782261
.ndata 0x00073000 0x000c1000 0x00000000 0.0
.rsrc 0x00134000 0x0001bd00 0x0001be00 7.25332434921
.reloc 0x00150000 0x00000f8a 0x00001000 7.86502579659

Imports

Library KERNEL32.dll:
0x408060 SetFileTime
0x408064 CompareFileTime
0x408068 SearchPathW
0x40806c GetShortPathNameW
0x408070 GetFullPathNameW
0x408074 MoveFileW
0x40807c GetFileAttributesW
0x408080 GetLastError
0x408084 CreateDirectoryW
0x408088 SetFileAttributesW
0x40808c Sleep
0x408090 GetTickCount
0x408094 CreateFileW
0x408098 GetFileSize
0x40809c GetModuleFileNameW
0x4080a0 GetCurrentProcess
0x4080a4 CopyFileW
0x4080a8 ExitProcess
0x4080b0 GetTempPathW
0x4080b4 GetCommandLineW
0x4080b8 SetErrorMode
0x4080bc CloseHandle
0x4080c0 lstrlenW
0x4080c4 lstrcpynW
0x4080c8 GetDiskFreeSpaceW
0x4080cc GlobalUnlock
0x4080d0 GlobalLock
0x4080d4 CreateThread
0x4080d8 LoadLibraryW
0x4080dc CreateProcessW
0x4080e0 lstrcmpiA
0x4080e4 GetTempFileNameW
0x4080e8 lstrcatW
0x4080ec GetProcAddress
0x4080f0 LoadLibraryA
0x4080f4 GetModuleHandleA
0x4080f8 OpenProcess
0x4080fc lstrcpyW
0x408100 GetVersionExW
0x408104 GetSystemDirectoryW
0x408108 GetVersion
0x40810c lstrcpyA
0x408110 RemoveDirectoryW
0x408114 lstrcmpA
0x408118 lstrcmpiW
0x40811c lstrcmpW
0x408124 GlobalAlloc
0x408128 WaitForSingleObject
0x40812c GetExitCodeProcess
0x408130 GlobalFree
0x408134 GetModuleHandleW
0x408138 LoadLibraryExW
0x40813c FreeLibrary
0x408148 WideCharToMultiByte
0x40814c lstrlenA
0x408150 MulDiv
0x408154 WriteFile
0x408158 ReadFile
0x40815c MultiByteToWideChar
0x408160 SetFilePointer
0x408164 FindClose
0x408168 FindNextFileW
0x40816c FindFirstFileW
0x408170 DeleteFileW
0x408174 lstrcpynA
Library USER32.dll:
0x408198 GetAsyncKeyState
0x40819c IsDlgButtonChecked
0x4081a0 ScreenToClient
0x4081a4 GetMessagePos
0x4081a8 CallWindowProcW
0x4081ac IsWindowVisible
0x4081b0 LoadBitmapW
0x4081b4 CloseClipboard
0x4081b8 SetClipboardData
0x4081bc EmptyClipboard
0x4081c0 OpenClipboard
0x4081c4 TrackPopupMenu
0x4081c8 GetWindowRect
0x4081cc AppendMenuW
0x4081d0 CreatePopupMenu
0x4081d4 GetSystemMetrics
0x4081d8 EndDialog
0x4081dc EnableMenuItem
0x4081e0 GetSystemMenu
0x4081e4 SetClassLongW
0x4081e8 IsWindowEnabled
0x4081ec SetWindowPos
0x4081f0 DialogBoxParamW
0x4081f4 CheckDlgButton
0x4081f8 CreateWindowExW
0x408200 RegisterClassW
0x408204 SetDlgItemTextW
0x408208 GetDlgItemTextW
0x40820c MessageBoxIndirectW
0x408210 CharNextA
0x408214 CharUpperW
0x408218 CharPrevW
0x40821c wvsprintfW
0x408220 DispatchMessageW
0x408224 PeekMessageW
0x408228 wsprintfA
0x40822c DestroyWindow
0x408230 CreateDialogParamW
0x408234 SetTimer
0x408238 SetWindowTextW
0x40823c PostQuitMessage
0x408240 SetForegroundWindow
0x408244 ShowWindow
0x408248 wsprintfW
0x40824c SendMessageTimeoutW
0x408250 LoadCursorW
0x408254 SetCursor
0x408258 GetWindowLongW
0x40825c GetSysColor
0x408260 CharNextW
0x408264 GetClassInfoW
0x408268 ExitWindowsEx
0x40826c IsWindow
0x408270 GetDlgItem
0x408274 SetWindowLongW
0x408278 LoadImageW
0x40827c GetDC
0x408280 EnableWindow
0x408284 InvalidateRect
0x408288 SendMessageW
0x40828c DefWindowProcW
0x408290 BeginPaint
0x408294 GetClientRect
0x408298 FillRect
0x40829c DrawTextW
0x4082a0 EndPaint
0x4082a4 FindWindowExW
Library GDI32.dll:
0x40803c SetBkColor
0x408040 GetDeviceCaps
0x408044 DeleteObject
0x408048 CreateBrushIndirect
0x40804c CreateFontIndirectW
0x408050 SetBkMode
0x408054 SetTextColor
0x408058 SelectObject
Library SHELL32.dll:
0x40817c SHBrowseForFolderW
0x408184 SHGetFileInfoW
0x408188 ShellExecuteW
0x40818c SHFileOperationW
Library ADVAPI32.dll:
0x408000 RegEnumKeyW
0x408004 RegOpenKeyExW
0x408008 RegCloseKey
0x40800c RegDeleteKeyW
0x408010 RegDeleteValueW
0x408014 RegCreateKeyExW
0x408018 RegSetValueExW
0x40801c RegQueryValueExW
0x408020 RegEnumValueW
Library COMCTL32.dll:
0x408028 ImageList_AddMasked
0x40802c ImageList_Destroy
0x408030 None
0x408034 ImageList_Create
Library ole32.dll:
0x4082bc CoTaskMemFree
0x4082c0 OleInitialize
0x4082c4 OleUninitialize
0x4082c8 CoCreateInstance
Library VERSION.dll:
0x4082b0 GetFileVersionInfoW
0x4082b4 VerQueryValueW

!This program cannot be run in DOS mode.
`.rdata
@.data
.ndata
@.reloc
PWSVh@
#Vhh2@
Instu`
softuW
NulluN
SUVWj 3
D$8PUh
u}9-$.G
[j0Xjxf
D$$+D$
D$4+D$,P
PPPPPP
\u!f9O
QSUVWh
Ed+EL;E
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
Ed+EL;E
]4;Mhr
E89E0}s
u$9Uls
-)Uh)Ul3
Ed+EL;E
)Mh)Mlf
u$9Mls
)Mh)Mlf
SHGetFolderPathW
SHFOLDER
SHAutoComplete
SHLWAPI
GetUserDefaultUILanguage
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteKeyExW
ADVAPI32
MoveFileExW
GetDiskFreeSpaceExW
KERNEL32
[Rename]
Module32NextW
Module32FirstW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
Kernel32.DLL
GetModuleBaseNameW
EnumProcessModules
EnumProcesses
PSAPI.DLL
MulDiv
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
MultiByteToWideChar
ReadFile
WriteFile
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GlobalFree
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
ExpandEnvironmentStringsW
lstrcmpW
lstrcmpiW
CloseHandle
SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
GetLastError
CreateDirectoryW
SetFileAttributesW
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
SetErrorMode
lstrcpynA
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
LoadLibraryW
CreateProcessW
lstrcmpiA
GetTempFileNameW
lstrcatW
GetProcAddress
LoadLibraryA
GetModuleHandleA
OpenProcess
lstrcpyW
GetVersionExW
GetSystemDirectoryW
GetVersion
lstrcpyA
RemoveDirectoryW
lstrcmpA
KERNEL32.dll
EndPaint
DrawTextW
FillRect
GetClientRect
BeginPaint
DefWindowProcW
SendMessageW
InvalidateRect
EnableWindow
LoadImageW
SetWindowLongW
GetDlgItem
IsWindow
FindWindowExW
SendMessageTimeoutW
wsprintfW
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextW
SetTimer
CreateDialogParamW
DestroyWindow
ExitWindowsEx
CharNextW
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetAsyncKeyState
IsDlgButtonChecked
ScreenToClient
GetMessagePos
CallWindowProcW
IsWindowVisible
LoadBitmapW
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
GetWindowRect
AppendMenuW
CreatePopupMenu
GetSystemMetrics
EndDialog
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
DialogBoxParamW
GetClassInfoW
CreateWindowExW
SystemParametersInfoW
RegisterClassW
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharNextA
CharUpperW
CharPrevW
wvsprintfW
DispatchMessageW
PeekMessageW
wsprintfA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationW
ShellExecuteW
SHGetFileInfoW
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetSpecialFolderLocation
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegEnumValueW
RegQueryValueExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VERSION.dll
:hW2e+S
B-o@mm=
zV@uM5'
!l|]R~!
T0/~Aw
p]Dm6M
@Gk3o#
by/1YZ
s]go`Q
s}}=G
$3?U,d
Gpo/U,
OA]]5w
Garjl2
O@ntBz.
!hni`a
6nh[15
r(t'PN
ICCc+454
>1iT=TkD~
MqT~x^^c
GkcPUU
gi4blk
olj}xyGK
K6#hqHx
tw-ezo
m[aYW;dr9
"_` `
!JR6;-,
@ ah"5
4ocOY)
:JuN:p
YAHRqE
Z;z8}h
P{nlmP
6j;4F#
c{hdt
k4s}J6
NQ3T[]
CWVWin|
_A>VS*
LJ'VqWe
w^ZH=b#^"
{D6Ium
Da5V} #
aq4j"K`
BBL#%9
0[Z;$J
1]lBK/`
0B>i#R
Z\rMM!%
H1Vfgh
Zlp)p$
)]@$2c`%
A:[bf<"R
8W,9+p
wd-8:@
7Hrhls
JZJ!5[
nk$'5;x
Q#kaQ
7\IE,)
O<AO=J
m'QQhF
g76j4>3I
RZdBD PS
, '-c&
?Da[+/
"1?2,1$
RG !/E
D^+x3x~
tnyU6E
O&'&C+
;8*wEZ
w^}CB>
!KI+OF
;-*<f"
p\cOdK!1
Gu6:Zs@;
9GWgoR.
;EyNS
20n2EB|6"
yldHp
'!;"00
PGCTl~aD
*Ujrj
MSs34lw
V5x!4R
S&M7wd
qJvly
Sghv~^
j'_FtYDk
KiT*t|a^
ejE",+
y#v`[=
5\Kv'R
4\x$N2
e5@B},
V&'i{w
{X7.C/
jh.b)*S}
a$2f3Su
J@6.Ms(J
9l<x@j
OKgNKC
dj359AGVWd
i:6?)@
;jKoo0
\EnK;#@{
^|D.Ne7
=vdqH!HZ
wE~d0H
{49=Ii
/sNx,u
!%r@C6
cWEnl!
483`kby
0&DiYlB
~p7b7Y673
Hj\("XMF
vSH@al6
tcsgx?
7L#i:F
*4'f`N
_^tvAY
:27Q6,4N
;5<w%&E
HCIs&%
97(?86I
B<1Y44V
!:5<~35\
D>Fz/*
<4*F:5L
<:;t54]
@;>n3&
<61W:=l
D=,'7:e
D?<JSRj
FCK{YY~
85HO\^
8>t`NP
=<^[_a
GA=;KJf
HDGPC<&
LGLtPPp
MG>BJI]
IDBD $DQ47
((L0,/d
*,Va37o
94**wma
40%.qh\
83('[TH
B<0crj]
?:.O[TH
C=1V;6+
=7+1JD7cRL@
JE8g>9,3
*%4r84Cp,#
0*"?%%B
-+-V,+O
4()E10N
QNSfef
RMMRIB6
MG@.USd
NH=!$&`DQS
"'f/EH
LGGNMKg
VSUbOI:
23Qe:?|
+-]q8<t
MN{]@>i
"%SG,.V
QK?I^YM
SMALHB7
pD?>A="
HO@DFFDD'!"
pFOOHSNNSMFB&%
jPOPLXmjVKKWMEA'n
niM48KWREBm
f58ksIN
j8WUHBYs
0WZHBMko:.2
N2WUIBIikK.28
(/iTG3CJWf,+*
iJWnTM
9nM603CIf9
ojI4($3C6f,
gx7+JG0
]a]a]]
abbab]\
\bvv]zz`
;4F?>@6.,
IEFNlD89A4/k
c@G0Ln9'
a9G1<h(
B=#$@9
TU]USQY
`^^^sS
\FmT69K!
8b{kw~
baP`g|
_jlvzyxb^
]buxyubO
+&/d,-U
VSX\il
XU_^RL;
GGg]OQ{
(*^cCCk
[UISaYNd|sg
aYNde^RgHB6
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.4-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
0.0;0I0]0j0
111;1D1Z1a1y1
4#464G4g4~4
5+5;5I5W5i5x5
6>6J6[6z6
797C7I7Y7|7
8,888J8e8y8
979D9L9w9
9::T:e:
;!;2;A;T;
;+<P<w<
?-?I?\?o?w?
020T0y0
1#101>1J1P1U1[1f1l1
2'2B2d2v2
4/4o4t4y4
4a5r5z5
7.7q7v7
8!808D8X8
9+9L9Z9
:-;[;c;l;
?1?<?X?t?
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<2@2D2H2N2S2c2
3"3(30383I3P3e3n3t3|3
4"4(4-42484I4]4c4i4o4w4~4
5&5,5b5k5p5v5
6.6T6c6
80858A8i8n8x8
:-:8:>:C:H:S:Y:f:m:s:
;L;V;b;w;|;
<3<S<X<c<k<w<~<
=0=f=w=
>N>_>i>
?#?F?Y?n?z?
0'0D0M0o0
0-1R1r1~1
2?2P2b2q2{2
323V3j3
4%444@4I4X4
6#616i6n6
;6;;;Q;Y;^;d;j;p;~;
I0[0`0
0;1A1Z1
272q2}2
4"4/4C4_4i4
5"5:5]5m5s5
6.646B6H6Q6d6
767@7I7S7_7j7s7
8!828j8t8
909>9c9o9
:(:.:@:F:L:R:Y:_:g:r:x:
;!;';-;N;W;n;
<'<3<=<G<L<W<[<a<f<l<
=%=/=5=:=@=N=T=x=
>,>1>6>;>D>I>O>S>Y>_>v>
>"?@?Q?
1&2U2a2g2s2
3-3:3G3T3a3n3y3
4#4*484C4O4f4m4x4
576@6^6k6
77*757@7
8:8C8U8\8h8
9!9N9u9
99:f:{:
;#;A;H;`;u;
<+<4<J<U<m<v<
=*=9=C=M=
>&>P>^>e>}>
?2?B?_?j?
0Y0i0n0
223@3I3
5[>_>c>g>k>o>s>w>{>
0 0$0(0,0`0d0h0l0p0t0x0|0
NullsoftInst
D%eQe`
=[w*(D
~iX@|o
#v~6_KNrxpn
\!](:d
>7.`=|
%T4_5u_-
d)e\O
'LeS@
pBVaG0L@
>LAPn3
.fI'`]
UgE R/Ij
EUepR"
e m'MB
La?X6j
kH[N+d
`E.#f0e
fqvUH)
BX>anb
?>)_j3
UL]xv$?
MPNxI0G3
,sQ2SL'
$eiJI`M
R`&TE$
WRY-"4
jTnwG[w
g;>/{?
~Z@*&Oj
OwiJgbB
Tf>}"~
}!G<bey
vn_6"#5
CFE*Jq
_;zF2r
,sxyic
>_nEbsp
E|hJq`
QhM_cI
A<7Zf'w
t<LuVa
"~rNdcP
m;TS?7x
=]|h(.
lJ\px,>
.-jg^*v
qNd9!&
B/!mtG
gaBw^{g
f8&>W1`
YpnCVJe
afT2;2
,tw$Ul
X|ltF
=G/{};
sj5gHBxU_
E&*M}
'ln.1b
=V\C6y
H0A*Q/P
ep`nn&
}2lDBE
u`[|_2j
q+\lc#}Fp
5*oUPnh
7JIrud
>473#$
7cR6?L
{=R||4
,\:2U5
n%KYT;+{
>3|LX#
l%W$(o
.[(x]4;E
d\5=hyD
G}$FX
-IK}FJ
f{~n&j
>F@kRZJB
Ip? /;
RK-1ZF
#--:lt
pfF5aB
^Y1FQ[KB
g<s:gH#_
\KJ1?Ko
Qs6nd9
I|w/KI
y6tf>r4<
w(d^bj#j
=SPNB-
B_CIW+U
=<39G3
"Y$LCxx%
t:1]M<
(po|9/
bFm/89~n
F|kYAO
kb]/~\.
OhdYN'
H:x~@*
:aO?`S}
MNo,'(zU
@JM9UT~y@
r D8Vd5n
!BZwQ7
ov|<p,
M&t|qm
jz*q7;n0
]?iP9,"b
bh$a1/
J]OTDF(
'zD_.z
{a9`{=
0tFdwf
CzVD![
}hNpF.G
fZ/j)Q
A7JS9FU
GTStEVDC{
"f#A p
zH;e`P
5<0`+A
YI"wRz
utC(d\?'
;1*m0!P
+<sY:r
G3e.Q/
fQz}`T*12
eIp7bM
"v4=#L]
Enh&y."
.]vx4
R}{gss(S
}tA2s;
jBBtl,
=%eG~,
D|`]Sf
E4V`tj
!ZYf(g
eLB#SjZ
jRB6(;-
0c=>Fpo
g6x8GQa
Akhm p},
x8r!b|
dkn=+P
YT"'/Cu
1*Kw\W2W
D.\Tdg
=R=8~8
2vu5;[
(3uxE@
\7iGR!Y
A#tO4st
7e3~R)@
&W:B~oG
R}e?q(
; TL>d
cTRjUX
w2dHb=
M>EX=Y
O[-} @vYE
+,mJJb
.U.pNe
j?$Uzn
-:^3"V
hy`_u
OxR%w
0KB/M2y
UU]TE^'Q
#T]Uqs
xCkP^xvE'
<*V`B;$
.Jm$3.
_GXj}ik
:_,V4\7
*Gi_I8
'{]:p=0
y$1M4U
Z",1NI
5Y1nS1
NtLV@a
[bE/5J*
G-r&Ix
yG\Z$
fit4_C
#'ck>W
8% )ZB1
yqkw;
\w6vr
9Li-sk
VhA3w$q
d0ybuf*
Zj%gL#
V3x!>)
P7CeT4%
5-agTS
nn@5x3
30yb*!PW
TA~RdU
sp9sP1<5
jn08j
.4>z"H.G
dEyO@n
as%p_V"*
EHA {a\
9b@XfxX!
;yW&d
p|?;:Ajc};,
-JpXf*
'Lg04_
gLeh6B k
>c|W}V
u7ib!D
^;tqmA
-L+0@DY
5HUvgu
wOQ!8^
j!OX4X
dn^#P?
fJQ']+
Bf95!R!
>K(TeE
HC+B)o]>
IoG{#D
e"E2X%
ap5a*?
yK-;Lp7C
#N0)%<I
z$&$p]lG
!anoC@3
Gv3/>}
z+gg;O
nP@^O&
nQhtI',
0H5$G#v
4;jM2]
,%8u\%
tLmI@M
ls!<]j
1ktz*c
,Ht4wI
fY@'*G.A
|4y4L!
Rp^JTJ
d]_6L@
}:F_yS
l|hN$3
.V_el~
,hR|dz
3.X"kI
3Pxhb(
I5ON)P
^9m5ek
wl.Kg^
1SZAWO
jN=:5(
4D?HIWEHY2
,}15?K
R[j7`O[C
k>1&P.
x2vPFm
Wm_PUC3l
s}aYd?
*>5C+v
McZ8[-=
^suMSx
bILg'^z
,a>z25
sk9_Sd
M>29y_}
R111|V
XsCj{l
(]d`AAHF
1dj<W\c
Rc\d}7
t)@G6~
i7u,YEz
jiwb8@
@gnMcu3
@)9BR=
~b53Wqf
v$Au--
BG<[#/
~tdaE
`82&v"2
}GU#Y]
Q$<83G
66MoJo
iPCs[_lg
-ce#9J
K(l(V"
c*\w|1
5K=W?q
y{9]#p
jMO&jV_
jn`$%a
&BH@i.
Iww|OW
FF#$1j
9T1I*9
x$DK0b
l(/ZM>v
9,Ncg$
rFHk~$N
.ew G/'
2q48P=
" f[@Ko6
EYyp&b
H{}Zt%my
v *GYw/i
*0PYgC
\[=UXJ)
Uv_7g,
_!;]P,
WDWc2R#
\;)RbT
ee-#D4O9
?LtC?S
GJG#04
Z%DXQ^
)cfkyG
zn;:l-
`&;K"?
,^fG5S%c
y|6VQj
BaA:7{9
R&ru^
h$d Kg
87H d{j
Bn]<D.
Zcc+S
]C126O.7
"$iA~
x18Do*
N=]J<Z
g!C+|%
o>4A%(i
O4vML&\%@
5x&!OF
q=)3^@M
SLhKm6
3xr,O2i
c(d;vS
g|o|4AK
ShYyjmu
~0X$5n
&U**zh
!@K ;9r
#fS-p&
E)xl[s
~"/L&J*
,Poo3n{
}smD6D
QV/u-.
"ZR;&s{x
lP,ivJ
d4~Vb5g_%
u|V%-snWk
gzbeMY
PqEY&K
cwb!0y
<1d^2D]
OIofPU
yzO1:VB
R<j (W
|OifVrb
L~g6-J~
Y^'~$
ty+ehG^s
OR[ml
Ne^D,s
84,"3BO
CS.&5m
C^2$IS!
.vIEu
C8L}$v
uJ,6?Y
L-$UE^pA
tFy[Vh^g
Pi+N%+
RCQwnK
kv%|x"p
nsT,cX
/Z&cki
f@3H4:
UJ]p:g,
Hb^l*O
4BQ_z}
p]pY'(CS
[7_gV/
eTuhtC
=&^?Wf
UYSJ[O
@b1Obda
B`X_P
DlA_Y(&y
CbjS9?
8T$Am,
F=]G`-qK
;^d&&_
_wby25
UzT{HFO
,+q*!.
yERi|@
;|(<)F
[Zoiu#
R;j;Wz
h~tF+*y
|O@M]c3
V44v5mn
J!Le0k
Dw29Pry
XI@%/h
't;j`7A<
Qe}9}{F
AQpD\
3Vs@8a+CO
=4sU<
`73>~td
P^Ua(cg
ZTKB@eB
WndD&F
VgS]CQ
K.$)3T
VkG(&Vs(
hW@sh7n:5
,;isG^wd
vC7&@Z
vD^Ua-WL
h6L7v#
'mwTa
kHK:z)
/@U2FG
;T*_+|
/.L[4&
}4# ?%!
-<3>x2
o<I7~#
dmzvRH
0/];K~
EM_L6o
S"(yei
;4PoV
/T1o]~
bYL=u,
8[|-VI
QXhQOh6u.
=56&q1
^oLl58
S`dJ{&
U{hj; 5
dA.V~[
!/NmXk
KW>*]u,
a<5pqY
q&b c-
"=zqz]
H~DQ7&T
kyA!Sq
srpy&v_
U4%Y.w
n&>lq'
,Rbch02(V
f$xn]jZ
dZ{L(:AJ
`xaG8W
tkI<#D6
=j4xu^:sM\]
$ff`kqh&"
nWkDgvP3? 3
yVhh,
8Lco3-2
yS{bok
IMKvIr
LIFTkC>
x*iqyU
uuHgG)
joKXm`
#F"S?=
A.dc6G
SXSeDq;
dP 5Aq
\<9:7^
"0,!_V
Ye7[h%
iEex"'&[
HS~:W>
4suj,8eI
[*suN&
n2"D)q
o`p:tfE+
URb4ZI
i,'fzG
o.wc9K
}fp'$,
GN"uX"P
;StTl@vz
*ENYiD'k
cyMtO1
-2\0[<P
[PS*X*
L$HFzD
0^T<us
z_bjg4
IBtD!{
5jKhqa
|\:dr
&#s\Q=
r$v|.`a
9kZEd>
CVxLt{M$
*lJ>y3
bO{-z|Mq
+<6ZID
,Rz,]0
aK($"Ei
.$#baQ
7'q-ulJ
'-?$m5
s?Jm%H
S<2HPAX
N$E[#@
5gv?5GQ
q6<-w
/_8n\V;
!QU~"DC
!::uG#tSE
D~~$}l
#a4Gpr
NuKM8
zrUQ@)
dhpQwuq
?(%%H=
AMi&%?h
4Wo@Q`
Z-\8YQ
3<vkqZk$
0@r^z:](i
nf[J1H
i6!hJEI
Gb-b[R
4%gb?e"n
2S_Z2r
!qT&mg
7Oa3s'
GsIuMY
U+r!+%
`.WC&m
{}.sCW]+c
=sFM.
$9\Vt|
,<lB!#
'U=>3oD
:r|;=3[mc
$gNYLr
IVJ;Mr
{K3vp=
UQeIQ<%
}cMyll
['9#y=
v<Vq!fb
(A*@QD
:ni|cyD
?5waPo
6HT6j8
Fb^]9D
}@P!$F#
DWYz!V
YGAzwp
ZV%)1A
h%!n`8
~w8h@Y
eU/^>
FC^X}z
1^F>1?
:!+2D0R@
yyF(.BO
Z$gnbQ
@PXYSF:
m"c19}S`
-N~mwT+O+A
Uq3pjl'V
|G]!(E
k@h7KU
$=yObH
Z)f[%M
bWyF)x
n=8v#7K
PR40+V*
>Jr]?!
(2. |{
]X,dq"
X}+R+v
BJg`2#a
fFL4$t
vIJI&a
=GNv|
3X:pON_
j(EFqz
=A.U`s
.=%nVL8
-#?pY'
[$~2;6
lpb}<a
lKf$}9
|/8cAw
SnQFP*
,(V@mD
Y7Q\Ij
VkV`efw
3RU&)B
&tNYoH
x{P0Et
dC|>ZC
&7`9.r*,
W:}:0t
%U!`$EX
?AP@%"
K]?U,i
\7?))
r|-8v67
ciMVm
M/m5Sa
2P4f0d6
<5/-vX
J? Jl_
t8jgG
}Z2!r(JZ
)z_naB
!5Ex*
4iIPuD
W8Rk}#
?&aR/`
)uB[]F
KZK]%n
dbF|#$
5"-w84
4m1t-R
<x-4&Hj3X
fIA4l.9E
)S%s@)?z
Se6bh2
?;M?kwd
*]sC <{.
/Yr[T2
zW~].www
.J-6jy
LZSa]d
:7J= WO,
iXkpHN
'|P._;
po~WJW
P=(h@fL
lZ<hwt/
jL.D+c'
i*eYOab
!6CFNF
/K{|nd
Mj0oM&
4HUWCS
raU*;|)
dQ@$|rO
KYcJal;
Y 0o0#G
L)3.%A
S(*]-$b
PU^tAZ*
cIfcu k
y2 %m?p
I6&F#m6
bBmog
IfY>SR
M(0_K,
RMeK<R0
}1K^c)
5eklmA
uLK['A16
$Zza,NV
?*wtTDFC
YTfCVu|
PN9r2@
^[B+K.
cD/\>\S
%BiOT
+xZH9Yk
Dyv=@
=S28)C
?0rdZ.b
iODOT`A
lERmKg
3R~(n*b
8iUP/
hPUEZ3%NxO
Ea?xaV
_JO5j`F
NQM"2
mbV.aCh
iOv:%T1
ngeO5(
X-W:4!
#mWl5H
"Sisn3
@D=PW?
\GS74^
@7xo.f
q~|[!'
.Y_;*c
Ku#g/a
BCS~|e
(w&aN/
j*ri>,
2[YfgL
xBv$Y$
e.kIE@
lSkAEFT
&)al?j
D=MJ@\
akukXku
K79kBB.e
b_Y9d>
'=#C7t
4#F!7
z2aK`p3_
40j"e^Q
)L:txF
JYS6@ee,
DTs~/8
jQJfwY
MHDnyjfS
G.\1Ok
G|.3]x
pOP_@4
f79S_0B
n'ZWK!4w
wf1\LM
ke)%O
A2MI76
{Zu7$Z
"(bfwJf
7SB$51
7K:Om+
S(YY|
=vEQv22P
2* q&+
)BnVdf
(*"W`
'aksM!
}IGQ<
.z\Z@ey
`4TGu#
'$@]Bej
U,%xStf
b FpeEW
Zy_ya[
&a=IVy;>
yL3x|>
Xej/&6
u.OlIR
BS6O|>
uuowO:
hES[9
xD;#&O
b"hxmKB
r{QE{|
1{qUrT
ORJ87#
MslP?h
\_hqEUz
t,CxM}O}
2ugPG6j
XK-:tX
(z2/7o7
fN8kZ zl
G7vEUr
SPi4#!ff
aBxf8!
_?@K\C
'/@2O%Dg
=jfjjg:
-.)[wNg
bj,tKB
]Mopwp
u>vB:8
L7}2>N
~p$[cn
dOaM|&~
8E,l-r
(|&+X=tS
69M:^E
Go8p&zcH
2NoQ3i
um[#nQ
i]yB_@
={4,{@xVT
rc'H-Zl
 Zb6
C$%ptx
$eJu266
{E?EU|y
&Y,cE,
"w2N1Q
[&o9I^
Ue6)H
&`Aq*/
1LBzqKV"
,vavOT
(f0F_h
5xB7M0
8_6CTOn
C!80#G
!gNg3ZN
t}j$R.Q
dL;Ot=
_~Z@\5
nH3LH!i
~$k#C0
t.Si}`p
V+JNg}2
=]?T(&[O
.)<i+FhM${
g2*;@F
FwL+0=
E6fv=m\
X<?8FF'
mI=p"
bteY9"t8=
v{UfBy
-5~kg0xI
}l_VaP
;m_"Vr+
}*tXT
MZg~'y
iwn|$<_~
3^"/tB
{"WxQE
`P$_g9E
Gys+P?
uOuW#8
j3AZ|
0b`X2E
j3RWcz
W`tASQ9
2[^ <:
z-HW=\
bG[;fr
vq_IAG
os_a&K
Zv`p-e
K:I<W
K38*79y
^J(^<^
r6#mzKH
'_fg5g
[ OD%;#C
RLt.iyS
D;o;T2V
FlwC5y=
]7zanM
4%]^F+
arG}v(l"
;n2 a&
"j"(zmS
QM~2$=1
$?[w>p
&p5D+l
"xnp^^LZuu
.sZ<qd
7W4sb R[t
0KR;~)
3.]vVH
RY6G2#
. l#AY
FKcR;j`@
s(ULu)e+
Q{g%UH
Dh{l'9
&qC0K[F
rdouhf
KsHV*D
x/y5>n
NQj|1v
j;xWsj>3
d-1Ifm
*jaC>HZ
Dp73e.D
B#u0u^
O37Hca
|8S50mL
7%Tyjq5
i[6KaM
,{>2R+X
:tro]2
OE(_jad4/
L/yBO
*=m+#
r3t?%
p9_kF%0o
yEkNo%Z
a];9Tw
'Ii=;q
1|yS]a
^S13G\
{ze|dCA
C~1Q,U!
hOCtQGg
0M>S}}
mfoY%
y5q7wx
jts&M<
cm^6IHo"
jc&|=k
nA$'`L
DQk&%a
y@ZkQ;
oBcPay
~+TFDl C
_M\`N4
#C#F/0
+14.B9
l0JefZ
8Roj,w
{`<fPf\7
wfz6C=
LA~T k
,@hU^~
oa Bd=G
Uv09u[
EdqE@F6nT
[4MH\-
te>4tX
YuUUS*
5~g{5[
??1}z>
el:CH2
HNM9Qe
& .|i,
`BJR#W
\:#D)A
``lLa
SFmim_
B=<|&)
cVCkPr
%`K=3I
g)$ L?
5Yr@<}
ZALBB'
S?iKCL
Y!EMZH<
mq%7=Z
MtswK@
P-LP{C
:{7gg~
&Om$IZ
A5OCb^j[
Ft&UYLH
ipKR#C
t4?##!
bA[!g`
}x ~"t
l?1%&E
GnGNa5
Eu$UKK
L}yX,cn
ym^9$-z
G2ft@u
"dGy30
3cet?Ae?
( {4%,R
hF)8]ZpO
fG-7r9
AY7i8!
L.EPGU
u>A&E`
*ecs^*_W%x
j*V_Ws
z6Ha}Y
]j\f>2
L6k,c^]
mK|k+vG
z8&$Ku
<ZM__[cN"
c?o=C'R
xTu{q'"xzj
r9-UQ{
-V.9W"
(Chc\;
~+I=u)
#4>D@0
P/f~Ad
XbZ/8K
b<?oR}o,
AnIM8ej
"W(gb5b'
=fNhg^O
*9Nx7M|
->*n8*
TZHXO)o
I8e-~f
Lr/74a,
O'*o'4
w[b4y.
`+>2lvW
] ,g2
bI2Z.y
i9SkckWRj
~kcFZi
.2DJ%SK
'[_i{N
HeU}NG
4|mha!
]GJsZm
0xYTeK
~g,"3@!
z.^+VuZs(
8I|LF05d
OwXE1vr
6~I|(6
1h?g~':
lq0+!X
%'2OX[
$8XAa.
4ls#N1
*xe\['<
cIE<T0
LL1V{_
!T];D
4u3K8^
'7735+nu
&)3Ga&
8u1"Qa_fg?
g2jE%?
49o/F,t3{
gF`p-{x
Wi}EVw
E$mXr
A7D$0c
+]EZ@2
1Auo),
2Pe\CF
u'#`uG
cEhg_#
v[epR.
lG#UwP
MS24!@
\d*\8+
K2vk_{
1M9R=aT
tQo co
GCo]_xK-
G6>$4+
wfnO,q
w&"^ +
)P`i:81w
[{zSO^
h]5iB
63xIDOnj
61%}v2
+v,k"0
Op:73
F]ExYs
bX0bR/
1G*I,_
V^Qp8>
-ZVv Qf
LFU<#q
7JEA<~=
JPV#YB(
hV%Bn5
Wm({@ym
havRs^
9sR(>Z
(G(yJ=n
c,I5R_i
h$?$gG
{O+:Y=
1bl<Hb
cX9~<n9
$phYB_
`mQHb8
yG;V#z
@O5B@U
^BkNeSq
,r//grq
m~QH0V*5
::rE0~[
ZZ;}tD
-a[CtU
P 1xc8
t$Vyi8`
<;rk![5
TJXZdtL
s[Dd:g
\H,0}A
`t2*O,,
-g*n3
%fUu=I
'+qA**
YVs3Qup
9&4Oe*
{CBA7RW
~DWsFP
d*+a_F:l@
:p*&g+
q@C]"F]
-"w" 8
`P{![wb
S`>u%j
GQ<j6bX
uHTGT8
$AZf`+H
q&ysy[
c0*}H*Lx}
D6:|;%RK#
}"!L$+
]|2C!~_
AacX[`
gDSY>~
.>5ss7c
KJ{$2GN7
oc}sIQ
8W0#(`
h[cr./$
-ofQa
-m-M^v
Fa{|>o
xi[1~P
pw;//]Y
FcKjZr
V@H(gX
,=~;8*
wn',-m
.2_C_P
hkDG|u
D#?sr:>
}h;TwA
h[HVI-
B<L-}r
hmJJd&
~'SKJH
J:]2}Td!+!
FsA?=s
U{v@0
BAw{$A
C%rkDA*Vdr
igT?;t
1'*bk8
H4U){N7
H5[aC\qn
X<-zGr
un_a/}
2')c(0
#,4.Dw
p2>qYG|q
M')4m
mBPbZO9^
;+0KJ1t
LMR}^
%3vv\[
uKmS%!
$\`QOi!
|L7|tvu
Iki*PJnF2
~FvkVo
%}Nav\
)3C'Q4
{e@[iF
6 qv:n'uq
BG0?HLIn
'XeYR)
1JW3y:
~JHued
p#'V;de
k$((t96J
z<zO'C
`Nf@{`XaH
N4gN(9
5qz{QuQ
.NOH.'
u7S\
MLq=>H
!+%DOq
)T44A<
YKTZk|f
@FMIh<
M]l`kN
[Kg.zSUr
`If1ou
#j/"ygw
\]mDP9
9Y:"@urG
dfBF{O$p7/
+vQ"zE#
iga/1I
=epe:C=
~dRHnx
C.St{?,
|_Ts=y
j_^C%T
3iC.}/
C]4yj&7k
1$0@v-
as*IF|Wo
QrA"1k7xIU|
xku\o\N
9pZq:~
@`LviR
i6`sK8
2AR`K'
0;d1:Liju
gRQ8y3M
zLb7hq>ZW
&Q$?VR1#
J]XV%<{
pwK4)t
a:qio*
*%g&P|?
YS(vX,
O*A| H
b`+,E+
w*Gzx3
xqVSm.
l<UlL@
yUzMZt
Ba4I@LV
Tl)K-w
7-g24@$dr
nrq-fLY
9XiL^>$
.2A!S\
x5(U+\+
GAoMt
vxWU`/
t[jgPh6m
?O%8jp
*%3Wu9
-`m5|P
bA(6hI
[!p =f
4/23$=
n{N(Wr
Z^3kYs!
'zW0cPt
tCyK^=
`w=Tw|
ha;xcR
SpJNXj.
b\v'ZC
a{m7^
v$Cg*:*.T
L&Ef%'_4
:px7xk
Mqo;?m
&ZW:F@)
TYjyXT
,7[Bv3
gTHMfA
ddM"D1
RRe<QI
CMxk{r
5y(/hD'
A6.8GEN<s
b5dLC`%;
"gZPX=
1z"s%az
9(TZD|
KvXxu=P
ftz*Ka
dY-33W
2kmV~?
~xA|"u=
y1&tq.
NZZ{6*
eBm!E_9C7U
-!y/)c
Z{U.sv
<(PMbWm
tAyPF]
1,`4OCa
9[KZmy
Ryj&A1
qJf#Bv&
\$#d`u
y*x7|c_
EQx]?+
A\XoBmv
k!>0v_
Y%RNmSr
[BN=P+
J2dzuZ3
-h/*&(
||\}jik%
`j$Nc@
Js*iwM
5PcCgH
CB ""9
C[RoDU@?
;JIXD$
Z|&Wfp"
\LYbP*
LT#Kp~
"0}@G[
GjVI;c
:cUtM$E
2xH4*YC
(O*_gn
`RS-SxU
^[PT"S
~@[n]
zBAViz
EdQV}P
<L:]n]b
2Vz6_)
<TjkpP
("uMt
$m@5sq
%R.Ls
mfH@1i4
n]9mlc
W/<y{;{z
X_^,97-^
"&^<<W
VFI1I7y
@Zk\z?
"XdbDH
l"~8#(U
r`!;~l0
E0Tt $
um&gM5"
RD&2Qm
vT`use
I5u3sC3:
:mo>Bt
pAWgNl:
jy1P=m
U"Plz2Hu
8@kK1k
n&7jy
Hk.cGj
[Va'\70i
0ZXgN/g
9(6D>j
K2E=3T
:BaT5[
XgJf'B
\z`aF_
O?G=Fc&
~'{:shw-3
fdaOWH
cT:zTN
S7ny:e&T
,YVL#~]
z\LHC#
3$M!^$
oxC/:[^
?^5-D
5<"J@8
"FIh[ltQ
/UkG_w"
U`r!>w
E$YLjt
ns5;e(
;.H)+:q
!(Tdk0
WAj0,O
vnWm&
)2.,HyeS
jQTc:,
RFjR!
IH|D!L.$rk)
K8"j+q
X\2gZbb9_
8.C5!$
PNHXuHk
1RJj_$
JM+^~~
pS!h_#/
xfUg&m
u8mo{U5
|TXp2IN
uKmqre
F]40!X
j94D/-K$
E~h&[m
96j*^W
9e4qq.#(
b_+kP[
3BgzBl
.OHeha
x&++EC
e'Jzw
zbh\Q'
=cmWeS
HPPp9])z}4
5Ee`N
R0Cw>lP
wED5_-
]-i}(
y;vQo=
K?hkTf
8C$;b(
KNyW
P3j}=&/
{};~8[
b^-s?B
wh&#k E
,E^)?:f
(>A/;J~s-
J\$~[X
*H+$<d2
jg'`4
p{RYG6i
qgOgT
Eg20%KI
j&!Ox;
6Co'zQ2<0
[N4,<
@53s;I
uv/~~y+b
sd=t8)
vTG},fw
iKrrg"
RLc!wkc
6)K>09{
_ZW[,5
c$3@R/
<U:k%f
u-8T7H
n\4MAO
DOK4q~
CKN_:BBh
{Dhc iE
|9Br}P
|]5L'O\
4o.{v5hH
'(R}G^
QJi^s}5K
,hb'T
4t*XEP"9
g}d-S{
oq2gDN
>i&||'
93f5V]
`yY5ig
[:J65q
#<NiJV
/(4l}2yq
eJlQC@`Ra
s5hcMY
=/h)4O
Flp;;%
s[z\|.
=zYa?
{okQ@g
I9M#/q
[vA3NCj
r;w+|^?
Qle(Cj&1
m/<Ig
-e\bke
f1no>q
r+8~_@
B^ 'ef
iynvr+N
!@c=lZG
_-yo{g
B w_xz
FKx!wz(
u5]*@m\^
s*h'^1
Issa0v
cd^}Gh4
U84Q+)
^-MV$H
BM@U=/
B=>NtR+
S8xfZB
9`xh8v
DoE#WM
b3eR]U
v~-|aT
&OcgS#
yoULfY6
v`n1Yc,}
3Rb,alg
?S|?%<gV
d}%]X3(%
.)>Qm
<)X==8#
AAeg/3
b,6S,I:[v
7 A8CW
EImG~U
XYTuipU
DxMTfm
/91k2q
WqRymk
L3+Gy0
U:l\ q<T{J
4=|C6'
X=]*-,
XZ|Zb<L
~iTBT
r)y9m-ryJ
tPRBUL
rmuxO
>}`1(9[|yRe+
itA2<G
);#L?e
cc~#b9,
KmsJ\u
<q*$"U
Zifflk
K\GG$uf
upU9?V
n@6pW5
I#~BI#
KgFd0n
ogI,`{a
.O=h!r
!m!_q`
.dY2Tj9*Cz
/Rv$Xk
%QB:hI
_D[107
P>X jV
k(g6e|a
NWDbo*=
x}%1k[=
2<dX n
dB;9{1
V;w?MR
?NDh7/
wg*tJ6
~U=Tcwm
.xJZ.5
]`O+~|ag
^%NQXA
Plb%as
02h*_u
Q-Ns|\h
k_fD"L
<=mo<
@c]JWR
9MJy9
H~4UdsN
f<l?Ir
-wS/0bl
obhkhTF
z@zMl(
'&;Wk*
d p2 K
*vzb|!W
>wF@HI
>@/)&.
BBL6-\
?fXK#q
%l@+qi
|4# Wl
.s/CI.
rkmUa-
7Uj]lO
w2K&U1*c#
<gDFA)
uM<}9N
<;S}A'w
"* 3$r
_BH8QJ
Q!.@0ia|
III~IpG
o(F^8[
2|$MnB
^'gNa9
S*?Byl
>YY?qi
3HS:\F
|wr~&y
3Uk|JH
rlZ~gM>W
Yp.s_P
E'l2F&e
ve-Bw,
bY[pHy
quLTQg
3KvA!L
}'?ew[
!wn=HK
PU{vb7
EU.*K)
Rp+1e"
gItmyi
V(L 3A(`
M<F(.N
KLMu{~
C,O&SH
t^c$)^
L|iVjS
/eQ9il2
y.[|ar
x&J}'7
dLYhjY
M.blN
KbIP(L
;jyA\O%
(rhb5q
\_(3N.
^'bj7>0
6H@ m?(foL)
l`1E<@|
dDJT_q,1
-|2@xd
>J9vtq
fu+Z<,
z|yB~UeAb~
KML@y-
o}D3by
5q/wWV
zljs~1
w|D FE
.$Thyk
ViDk*=
-]] pV
zh^&.I
v2>r(*
F#zk1z
t9p@j
&lP.gf
\f|6*d
SGOplt
:*oL_{
7,!'M
Y[8$"3
.K(L$
q/}tLz
6%?FzG
dmr+4bm:a
^;p8^YiE
_H#2G5
.oCoX^
C'*%`+
GDE<>$Slo
JeJUl1
KS4nQy
a`lG7JO
UXu8#1zf
)^0P>k
3?p+29o
_x +C
r8wLnS
hLEvj\
iUbW&t
$>41gC
=4x1sRP[
\$ey:HU
.;%M=X<
Sq|ifu
QqT5./
Xr$'(uSU
{g,d4~::
y8]HCt
,$KWBfP
V}44%fds
^Cp>9^{w
q$w|=e
|klQ,Pru
R'/Td%rw
,tf&$E
J48~K}
YKd[875\
X|LwVj
oY<dqD
%*'w\!.
YZ{5B#
^CRFQr
d~T>sW
J@i$'s
y?\ouY
)(e]MC
B')h'+
\tC+>t
G"aRZCp
m2/BAf
[+w{P^'u
r NiVE
Uql[ot
J~![n\-j
+O\vb/vnjF
o#8ss1
NOkKfD
c)^ZLiB
n{Zp?.d
X2zH)>{
QUaC4Mm(%
d`HqpS
P/n!"!4S
]xgqn6
mC3AuM1iLK\
1lAvN<
t_e0?+3
B!$OU7$|k*
ac&CBY
[=s8tI
z_K/U
teT'cO
f>XF}Y
^#8Z,Y7
eG"qmWB
<U%mJg
eU[uD/
z$v!LP
C?KSE#DO
O?%+bI
~:Oup4
l>tp"P
O!Rar[
~cwYGe
u{XG`0
Yb~$";
b.(jV(
F:Iu8@
3I9a2>O
gnANhL
*azU=,
CFUs ]bi
?hHsj$
PPTRE&
>+02yE
GR=S7;f
>[K_NF
J v,aaT
}kEi3#
Jl;<|2
=FMJ3}
k9dGy.
|3)^xlO
gT=0"s
tSCv?Hsw
^}LPNK:<
H/|A8T'
J6,D3J
rSA\pphE=
I&+9Hg@
&Zu(Vh=%
3C.PK<
P)Y5!y
}}L&I#
mfGC/U
DFLzsBZ
JrI@Zh(
8~^_G}
D 'w8'gK
>7O~\l
saq~U?
^uJ]QK
G.+^5jE
fLrp0:
Nx.U;$
{>UY5$
z|7b&r
L}LLiA
\O:H;!m*
j0ZytB`
/dV%nN
yQ{zx:
]J(P%!
0GNs!:JNe
'i.5Ns
;`>S,o
Zl~7$^
du"24
mh$O3a
U}1dN8e!
fhpzD\
:##vEv}
n&9rfX
j>sHr
4/7uYM
5s,I)1
=)c=vEA
9oW/$&rA
0d:XIy
CDTSV<
n0^m8,
O6%?K~
T.KUMe]
mn%e`c
Dn,>;4
LlY|WH
w?(c=,
S.k4)\
aG.v8w0
#O3iYb=
5GwEw
%}yrU5
@QlUFn1
8l*nCW
c(*&Be
f&#4'N
3>Q]j4^
C%pTSZ
._4Oa{m
qarr2BWO
hubJsg
,{i{dl
8'*YUa
qnUD,4
pWbzL*
mD,a,AY}
m'lY'Ei?
/3=[M]
4y>UUB
q]6"8~f
E\(W:!0
53!/@7
5`_6sg
30;Sl"Y
ys*5Vd7Be
:+H(AF
i<)5@'A
-J:]j.
~wo>kz
T\!\TB
BcP3H}
ahM,E]
}<$8<}{X%_D
I)8F_*C
|(3WwL
7zj'?T00)N
<7"{cA
]%rh'1
<deMhh
oX(h,%}>
}2%9de
ct8BH!
T>u_dfW
aA6H)O
l|g_fa
6u'.+l
3Mw;>82
f&x;'^
e7Vpd)
m1ns}[
$R5v4{
Xn}utN*2
DPoK0:
'wf)tYDp
LKTlJw
i>/G+I
FxB Bd
\TEYvD
G6vqV2
O&bgv'
g'FO9m
X,nR&Id
7MEFLY
0{./HA
>#R)Dww
~@>pf^
84OJCP.
O^W,;n
YbHke-
{( NFYkm
#&6Pk:
p-y?'A
yC;r8(
?_%EB-i
tN3JSN
yIwVLv
w7nLFK
~\"t)
{FZ/
??J_D6
b]M\c_#U
UsKM]%~ \5Kt
%Vi1-}
]W!_Q#K!
2g.}w[
*x~mNi
1U*<O<
b"fO?L
|0ACm1"-QZh
)`R<Yv
Yh8*B.
%0,7]4Z2
:nA(8Ey[
s_s`v|
>TIU$]
8s5~@Jw
L=jh~C
<7e=`v>
3a!BW(eg
)ETn9c
x9Z?U6|[
l6OIH>
~UjDE0
LHM(m
U/$%V~}:V
CN7g$Lv
&\C;J"
#w=r[]G
Q$6w)|
.dQhJg
TNmR4t
NB;'pU
=SNyJf3~X
L_"SX{
H@QI#/
#(8sWsN
JRrMPT
m0zz8X;{
"c_]9z
;*\l?u
#uju!r
ox&f>1h
P%1{[P"
?vnLVV
M-+q/z
esU{f"[
a#FP*W
J|>-?P
H,nK-Z$sV
bPPQ2dN
Bf_J1mq
X.TXVE
G$#]n_
0e.PbD
TT(HP'y
3.nXXrtY
jeT5fj
oe>.=q
z}v;CO41
xfhnn
DjoL@V
3$7@Yp
PMOVS&B
CNpk3<
b_I-/dR
ey,5L[
rPS$8
7}>oJ=
qv}:Svs&
:zB~1`2
rQ}.A
y*!nu.
zbp~P6
vppCcP
fr$RH5
t8[).*6
A+o*M^
l+v&vD
IDE&U
a\ EfoZ=
*3_HJS
=PJWZ1p!
?z]+M!
#uI?y
':[1;R
2-w&k/\
Ki,YMt
A+?`I"
i6R#EG
ab%`>z1
T&sQ)<w
jwB"-/
L!>I`E
~.lV:9B
J_V#b6
.=?-5A
x,]>DW
),|0?A
)PfW$$
~W/kl=
|gPRk0x_
-Fg!_xhg
YvtbtSH
k67<V=
H:*LwA
~y %V0
Uu*9@_
`<'-#|f
YA.cs"
DJy:Vi
=rRl|g
ypNv$.
C[W875
"z.!rD
Q},aa1xM
_ed|r_a
jQ:U-~
_JPe/-
cI?vbbtf
\[s3}X*
|.4h;u
OHD9(FbF
}P}qAg
PThO{
Q)uurt
Iqr(A$
0uf]?'
h!;o6]
@xM_ve)
e"fZ [h
|S@^$`bN3?
xs[1]gi
05)fU3VP
\{0@Txj
X+b92%
lz21C8<@ns
z?gp"L
RK:rLUr
sorA-s
JI6;'<
-AGK(C
3D}4nR
yAqM\s
ov@!Js
X}4wv]X
('3y#<o
=hZ;$e
*!NaB%)v
]<}k!"
b+l'G
khXMU22
F@RjU^
}\|Y7'
s*M\C=_
\UZuiU
QGJUU5
x0Y8$y
=r8:\[c
'>GGsu
G#`om{
;1c$b#H
&"+>Q+xh
,?Pg_+U4
djD:]u
>oo0BJ
7/&6hw8
O"RAQC
&^V/i+1[
*&6J(m?
~&OVa+x
8\D>6J]/@
tMi.^Z
d (Mn<
V*#y[s
=hu6(h
Z"3Xug>
$xWqQ9Q)v\l
hwS5Lx
=xb{n&
AQU8,I
U%b,zu
<".8Xn
$+K^n1>
,zXOIz
+On//2
1iE0}e$
-PQg_E:
\{I*#=
erL+v.2xE
_s*Fv.
+nvX;j
{8sqW?
t{tM=f,
T<@D4r
:XW#M|
X6c\I\?
>/`K c
9Ff,t
D/TNiS
h!:n|g
o|R,J<
\T1{E0W
>y5=g[H
'p0a*$
qE@_!0
q.I>V:+
Y@wIpnU
,my)&2
hG0;q,
{]:!?v
tZ{v#;
,i()%Ypp
2xg/%IY
rI(Q4k
L"`Y;j/
96.+"e
yU&.)?
)`=2m:Ax
"i:~]-<wJNh
`D]`<9
~4dydc
YPo^\;L>
/o=grb
5^!-k\
M+5NSS
&3'Nb^{
gyr3"^
?GCI[v/
)iOcI@
b;NUHy
o&ld6o
{vB}?<[5
914RCC
?L\5>-
8}j4`D
@/:(yN
!>`VL\
b!( 0=
<[Y.h<u
rjU_h9
V#,uk#
W}RpVJ
0e9CP]
_8&Et(
czEc')L
J 5DV-
jQ'HwN#A
/]jVUD
K\CGry
,LKV7MU6eoK019
U>A/3=
?9~seuV
dD6MU L
)($^NF&Lp
#gOi'~
pA@4Ki
zLcFn5*
]&B{SY
Wm"`N;
+}VYRZ
(9`eL9
we?5Jh
\c5-{+?
JSmu`J
nz~CQ
cI+gAK<n9I
:S"aOJ
xmJRh.kv
<uBurO
ASW2nc"
l6[hX*
q7-l.i
bnpd{W
`1H~8(N
safBy!
7(Un[Wv
1!vFKad
Y[RB2$
P-8M@8
2G3~f_
~6\Na?
je:tS,
3xc~4g
Hx;<YX
8!@Aa@
Ekga!]o
/&8WQs^
VIp%3N
#34N^>QVR
EA_X'YW
CzHnb!
fMg5GY<[
CB,K'$
7j.5Z(
"ybtH{
w @K&
Q87abVOB
W;%RA3/
t8qdNU
K1TS>8"0
9o2QiY
I]$>9
,Dr2ycq/b
GE&-oh
3J8bIC
YIX35t2
/r`cN<
5dJGqr
O)p51
P5el$j
VyY_1],
#/Mz.}
%q5.Yh
hPER<T
cvxu^e
qt-tE%g
v-15%f
/o(h_3
$Z&GG,9
=jr/8i
}5 u@mb
g!Lh%$
8f8mf+
l%Yp&!
wC_)@$*_
2]~4ZY
f/%]s{
~"EpZa>
!)"%]$
Fh"eMB
c{.'ue
f]^bf~
{F<vwj|*
WCY6dD@
#I"7cz U
2W)xb\\
5k8q7;}_
b h4W%
&ftEo_
O @x6i
-"iA'~
wG"8%mC
EI&f*_
iX}F0Y0
MAS^Bw
p<b;.4k
^+{hY*"
uq!yLm
FW2Ucg
Ejg_E.
G2AjO)>6
}Sve4B
%sSoQD
\Z6m]+c
b1? kw
(gX&5A
u9cIqC
N'74;9
j,!=8]
f}4R's
rPnC4r
i9[d{^
qq=$7
9|T{9,0
/p%xU~
QI*JFne
YO_8Y;
+AiQ9eN
Qe*yb{`
8haMT@N{
/+e,gIY
XYscx<
*bKerx|
!P?jY$
ocR!xaH
H:%EyKm{"
cvl;W(
lOt1xO
IKW]wFR
;@G{HG
+O@&cM
V~;A<=
3K/yh(
o:Q<Q
<]Xq-,)
PlM!tOo
0WWQ>q
p1A?ef
@Db"*o
0?_:B@
3-A4og
OGKS8i7DW
;9wWD6,
qeeXZ70!
;=V!L{i7
'%MD~sS
^ZE>(
<WRcd24)
.V|oWn
u_k'LE=h
Y^XGtJ=
w*;Df/
<$=0d4
wO\m#.X
]mMr%Y
,R3XXxVY7
o<3h==
sIv>!ha
'X73pLZ0
|xYz24
{jY>cu
ydiFl0
jnV X,
&^oe4]k
4$aJYp*
l*>-m
~d:w`T
4|~v<[;\
OjWV&%
>q%3L@S
aNO<^2+i
-k)z"~
hMIZ8[
:kI<W8
3BVpD{
[^]v-
i\:ZOn
n~cFBh|
Ki> Do
v}iY/k
(^9Rt"c
SKS`2}
4FSfPo
i5alDbZx
Pw7]Zc
f7;K6Q
CFuIE:
.yczCx
%7v%yI+5
$@u`*qKTK
25|geX
AVVkTtz
^z|UKn
R0TMp`
Bm;=76
b]ILC
Tm(g]A
}'!g0
Y@g<J./
?<O9x]
*7QoSE9
4R @Ol
%|XJ{3+
~,H'q~e
(zYM#)
T.rG*m
c.`4=ly
'P3ecN
3JynPl
4SWhY]
_jiX6(
kX7)).
&or\)N5
G<B{Y:
`L4Xyq
T0A0d4
<:Om7d
FU+u{
6kXl%@
',DXn
mU) L,"
]DQVHq2
(WU.@t
6rN!BK
/i9x,h
PZ#`r#>3
[?oi)rFx
%cy-il
QgK_v09
?b[kfv(S
6$}_53
RL.>x#
5`+(8h
V?;h51
U*<!.f
:Q0\XP
XMM5@;*
NqQ(6e\
CWBXc[`
g[[+jJR
M<dM#3
VTxJM>
WB6jir
ap;1{YA
atgo@!
u3cOw@<a
S>`F_l
}%SWGq
FlGbSj
p|3VN+6QQ
M+,J[;d
v}pUEJ.
o9V_JEc5
hy0}n;b
8gRrRr
>YE9(1
T++Yfr
caU&\B?
c6=oXKr
fBm)}}c
}n{gt`
*kGgc)
;&n8Ou<$^
qC17<r_
LD3]#[
;["rWrg
XuPOiE
2EX7xA
R4-9X2
_sWRLp[
XJC"=
9d=`V'5
E.yv6,
14NH'Z
6J553T
$u8p7Y
]ig>}8M
T.5|KW
F:x;/R
p#vQfml
yCg`76!-
A8<B:Z
rHcrf`
O=X{rm
p[Kwv:
Xt`p^2
]A?mK-(R
u@0daq
6:nH{j^
uRq`$bC
`f\&Zf
KAVRH!
Gp-Dx!
Ay\97KI
vctrr)Mfa
ugUld.
0!V^N8-
G'1/AV1
lBQU4x;0&e
p3?8326A9
$o@rl"
,V;};t|
_ec(u"/
m'uI0%
$+y?,,
L?KEM/
ehg@XI
\Xj=b*
?rr%<6
^3"d=l
6%q<{A
,XTp{V
3MDyg:v
~otmgt
T}@JX4
!LLU^m
p&Ptu5
GP0s>&
S*pLyj
Uog)&@A
L^lY"V
fo3@F
r,m_mE
aK3oOMQ,
3k hQ
]]Gb6O
^\(|L<
R~:lEK
I+Ag95
hALGF}
oHFm5W
SH6ecc\
G8yR`o
9z`u}-{
9!VkJ
O0H[m{
^/Q,JzI
teE_:
RDT\#lWT1f
Zz:}:5
ruXvU@
T1aw9Ku
#J=/1\
M}lXDQ
p|%@."P
n75+iaH
msZ#",
f7sr,C}
Y^$[6U'
N:K9G
+Yxm$]r
'%LoNC
n{yc.E
^D}|Nq
8vXQdU
EK^l:U
-/p>apx9
&Iw4k&dD
:WC}O
@4kHku
-T`{n\g_Q$i
0LD}>a
|EA,Q{>v
kgisF_
NH7*S@n/h
`|kty&
_,0Qtk
}1<<~BM
T8L'Dh
!D5l{)
O+B;Y;
$_Iw%B.f
/e,.gLD
{6pMt5
?vkbsc
Bj_HHl
V_Yugem&
!@S:UW
vtBdK=
'y3LRre,}-&+h
B2~Vus
Fx9A`#T)
1~H[JQz
$}mAMf
_>yC`
N5?c p
czGx-
&9dMw7
3|`@cxoy.
;H792z
xiYflo
h'I:R^C
Vx1P=SZ
~Xy0_/E
)dC74s
'Zq#mh7
"C[*]v1
gW?l?&z
]Y(|m++}
3jk_is
hDAmDfz
E{6<rm
tASs!
9%xzHU
vZG: T
IH$!&CAMqPI
DO~1tz
V_mLx(
BMUX848
76}{M^
7:Y(NG
@U85?`.
7sQ&zQ
yAqY`<
-}&tUI
!(agy2
!X-tqa
Nz=Y[l
b%j.i;
ary49/
BKQ@WK
wPoAoK
_/;8+T^f
i0h77;
'K*c^#u
:0a!n9'.#V
yjthC1u
8QKAz{Q
Q(6L#l
)-ifAg
jJCMRY-
Lcyq\(
CGDmzd
4_N#Cb
R*{OP8
_B3Ssl
5[XRp+
C*=Om=
F{D}Cq{
Z1&5)-
+i%btf.CnD
?pGQ@q
nbI7yv
9BBk_u
O65[NYkC$
VI(hDB
Ia$:@9ar
X(dIya
S_@>biu
`zr5[g
TH+)/mK4
9/4QRV
rpATt>
S?h]6+
#z<b'.7
XRz`-~
qmM3Nr<du(
RmdhUD
\C5H&PR
"qovW0
,U3?vU<
{^GXoa
7Xp9o
eH6-hkK
FdNk6W
lXr75Ou
PSc}U.
=52x5J
}8}&*P
-P<g@
K9R83K
#1QSIw
z]VAI;
VZE\}ea
b2>~v
AIi4A7?{#
qCoSki
n&SK&S
"ZT>!PY$
n_l5Bu
8UD92+a
mKSAYU
vGp7g24_f
LN.&4HT5
)}l[l>@`n"
[#&uV1
dBg^X>
_!Kl@1
2&R2vw
a:[g6UA
UqDW_D
~6wj^X(
eLg2p&
guugox
U"y,%&
2;dlo\D
RkZb^F
b3,rM
a:sHhq
(eiiR(ud
WUtu:o
y/+Yn'
~sZ&:Y
r=a%=p
Twi&ZV
m[(n>Y
|w^;-Y
`pN54~
sg^xO.X
:GY7@/
5~d@?H
6:HO.*y
~}ezrO
6IP0j1
l2Fz2i
K\y7*t'
FO!JQs
z|1C9:
QZ"[GPXoI
[.2_0+
U~8Os1
m@1UsE
nS|1"!
E^yb`E
mF|Dwe
v'me"#
T82U{b
5c]U+\p
NWQ[5`!
j]P>wa
e%.d]j7
T_,aVl
m:1(\K
Fx+npl7
gPz,Wo
|0KI!yn
yVVDPA
$;y|P^!
+hL)y]
:2Vsaa
?maS.Aoo
xv=KN2
uZdPxB
KZE >UG
^YC2Jq
;N<-~K
K#+:?;
K38QDv
@JkW|4
d-M@^
ZR~1sH)
$g~HP$ TO
:2)w|'J3
8W$rQ
HHfEJs
fDVo+M
nA8?^6
*~F;|PfE
z XTvj
pm7UkE
,\7Mw]
y*858u
\3utoU
^]kTr/
&E<gXk
mN2<$
go&zK&9v
v>Q@VV
a3\%f(
GN;dYO
X>Z{r.
[4mTTo
k(CR;{
$70Tl?fWKP}
FD";~q+
c7b)&R
hm[O*.
0APexk
=4|b7L]
v*]YoX
CM^,l;
F49g
w)3[sr
-(\s6y
,XWngXJ
ij|*~y
Rc3XiR
kwjN[w
/B<}L
I_>(8>
pSdx{s
Ws0c4>3h
0xr>9a
$3UGya(
}s@mgP
TPw9<H
_4+SuuU
kOp688
kLTeA@
5a38 $
DCfx_;
_p\~s
&#S1F}
]wZ$I4F>K)
%A>[!h
5!p!&j
(H3qyg
DYM`9]
isIj(dX
f#}Qx6
DKLY1'
iMf%o[
Pw>3zu
QGMP_L@
?yudO@
-`u0Ul
5#WB($)
|[yQp
Ps0>T}
KRyh?+
6P(0$b
:^xt/{
Z:yXI,CrLx
`&e_;J
^}t,b<
PD>Y&k
"m<_fG?/
5f[o`x)
8aC6!6
DbF&fP5
(~D'0/5
tp-o8T
\L=G.F
%J`RB
!6<yY2
Zzdc#^Ur
//j]7'
foZFzt
O`awmA
6b7hrgVi
ihN L]
}:W05:#
I5%Y;U
UM>xi)L
t(GzQG
;9Sq2;
F3^!Hi6'
tN|.Iq^
Myu={{
'N5[W5&
PF,8F}F8
~f7a`>
U}+s&_
Rt'lV(`}
8nbTqH?[
?6"l7Oo
dI~r)gh
1/u?ZZ=X
{bZ}J]
WaK8e&
iU>XdD
j[I6*0#
*t^ x9
_J]la2*
pZ3,B
},oiM
a&e IO
T|Y"S);*
=S{*Q@
5!}+|@
$(.gRHK
~g?}0H/>-.
jwuAOw
Q}L(VJ
5<itE>
vHxoU|oO
CnH\[M
lX>@t
\.g'wZ
5$g%#G
JGnkQ$
ZBJnSX
VdPX.<
1 AR-m
Qhl9Tq
^x)*,O;
Wp\N.$
F;?t'w<;
9),q(LE
zT!n%8
i;*''s
jYpP0qC,)
LD;[z>
pmrRA*
p}1;lX+O
xZ+*an
`Nb<}-g
!ObX]|
?9#@Ek
r]j:?%
pEn?Pf
}=b?v:>
#e w//=?
c@,Je4*s
Kq!%`G
72v&n+
0EzOu%
;'I%nV5
yU0(8_A
/tf@(t
kBEyeL=F
[bw.7\
H\~_PIg
GF$*)]H
-H)B!}
/"a<S<
%7!)gP
iiYV'B
r YMG"
5<(?~I
)]4{N0\
tc.mD3
|5mez,P
\w`,gC
'pN%'Z3
OxQc9
K?VvW'
BqbI^E0
V!A09}R
qDYrXOl
.MHw|o
[rvhIyt
4"lb.K
rd')[F
6ySd|3
(U!H8y/a
ade^E-[
11c'vC
PGm~6G
yKHJ{
BuAgG/z
)`E-U
hP|0 DI"
M000:8
Ri}n^NX7t
Ke`Elo0
#n)#SvDF
^q=c^/
m+glK%
P+HY"QW
jU}RIA7
qnkX61Ula%C
m-\dd""`
|CLp&u1
?j<5'&
F%k`B9
\ANWeMR
jZ9v6QR
p|GdK~
%{q-_P
4d ZOt
sjmKZXc
L`F*h
};`!PS
p~C1-
6Bw3 |,
BD$[%T!
B$#v-`
J;.%0)
3$RyTU#
cx:6H@X
77rpq/
*ZNc1]
Q;dV`p
^n;J\,
,xSOPq
2q8()`)
SlXfr)o
+"V&p=
Tz@_Od
,Y(.%6
>DuXb(
p`S7BV
5Q;>FZ
5:*PHA
1xl2D^w
j;!GXD
,^I)"C
"+K~[|
!t~lre
d<8Nh'
ZM{AO~
z{7whJ
`H7}Qx1
p{`]*l
;])hQo
;>>d:,
LQ,b:(
0}G]>p
lH871I
</-cEj
r$"nA?eE
6/N*z~]
*&kQ:!
/l!)"
,m":c?
POtvFen
ZHX2l7$
SIuuE,-
8A2+q2=b
n*#+\4_
;Q}#hJ
d|Z_o@
,2 1]d
y13/J1
Ij>Ysx
ko7T(\
y,T9E:8->-q
u%9b+~
"(O6F3GcT
ud/Yk
W9|oj;
2k65>1
MSIO=e(
HGxja+5
Eqs*DsMi
4&azifI,/p@
Cn+]uw
w?&Fh{V
MzB*q_S
Prd+26<
zAc1.b
]M3\[}
>pJ``:
qyE-hy8
_j7tV&
oRjRm
iQ5Sz#m@
yn/;!d(S.A
8Gl\ajA
f8A?m5
4s,@a(
1Vy3+[Q
r;?B(*L
GZ|E:Hw=
xGv>vFR
Dz!8Z2C
8m".Hw
Q^lUw'
>.:Z60
d/.#<(
tx @e
heZDW~
_lx31MU\s'Z
9b1JZ@
Yf\Tfd
3@telI@
2(GRZ<
/2kyc!
M<vA4
/)ntn5
9>^arPQ
O<j02G=
2JX+Y
:h',&"
4z7YOV
rcG'{H
}:K__R
'z`JeW
;XfF# Z
QuBF]Q
+>u^}OhL
9+O\:XWc&
.G#PA'
% (90O~
dNEL)Ls
e1[^~R
{Hlz/
*zQ^
x4 cm^q
<O1#Yi
WvSt .
k*J`*!OC
{XT>pCk
ggBW'Q
@VDEI]^|
|3dg)f0|
Q)Me+=
Hb%!u
#ACx>T
4xY02D
s?WB7`
ICpe.X
03%UnQ
@jp#z_6aH
w8HElH
!*nQ)a
u6-7pP
T)_lj6,
]$H_/l
!0 L-_b"
d?Zc9G
[UxIl[
)B({7/: .
:COBJ<
W7xrKG
.X}OV+
2=b7k'O
8-}@4C
<VBAdV
X@-#W0
lT_&,:{
Q}|{)
lZ6]%#
GKNkKJ
~BVVR
9EPhC?
c,KQ_8
!;@{0#
9o@WF24
^ ;(kl
jpY>1`z
bb>{^~
Y'K*\E|
:.wD#D"
{:=7V}_
CgCRH-
%L5)A+
eiy-O+
*pUMS)
e-Pb_#d
Q=P0MTU
u$~]6
;rdQ#?
$7B%tm
!!DIwV
|pJdx2
BNGPcss
e|h:wG7%
Je^^p[lN
OOYNAJ
Dvozlj
A:`0H
X)4kMd
|KO!|)-
n(;:z0
j7]D#i
,>[3Dy'
/;JrKy
3-JO\-
-bn`3
V%8^f
Gz-zKm
K8'\d-
SSq2XnI
eO4x0&
Hl=p-&#`M
!*IsF7
cJn<n:b
J]?'oN
~}fZ\9
v;]!4zSs
NklO%l
}lP`3~Jg
I=B+pd~
syHp7:
%d#K:k
DbQL!Y
9T(58P_
X'[LEo4
jm85Gw{ f
dKn`m6
TKYAeS
kx6Bd:
5lD PM4
rzIoc[/0
Lniy7,
~Lvtp2
J&AIum
?^]9p~%
3C^e+z
J^TyCR
gv $ u2*
:gx%\Y
U4>X2\
me~(J;
q}ZIc+
>I]!3{S
.'$!#o
hoNt9
Xhs`hUJf
AD<A@V
/e^4^mf`
AmB:d~
GQAY|>
R#6_!^
i-H?5}Kq
i1ea#a
p$"%(ZH
a40}R@q7l
zbSz3cALC
YujD3;
`C3oLgj
MEcau'
/zN$>2
[KiH?)
3w-04}
EsE8{X
$R{';.
rd,\xH
}(48Uv
.!:Sb0
FK1JFL
qVZ$=1
`wZT/FJ
dN=.Z.
2|e@!W$
1l/%d+q
V$!c5x
bTy8$3
Bi>n>X?
E,*K"9
r?ERXJ
=X r}
!Ma.cRg5I
z38":k^L
0S3=LY
r5J5Un"
Jn1OiItQ;8?
o OEo6
Ef254
'!4wn!&
"bQR\J
O.]9Zp
_Z|>5
unn=hs
,mlA/Ke}
~y3{H>
=l,e|r
V.edeL3<E
^Ez^wB
[dJ<NY
:8Gt^"
8kZu1U]2
G3f:pZM
AbO=RR
$Ltpg
/{2G4A!
)jbSK-
g1d;JCi
022YME
)l8%!R
2uWhF~
Nz6:M0
x8Q{NoG
C>^m:R
!nw>Jmb
q={sCq0
\kT-1E{;7
&hF.~Q
OJx.}gFD
^,AB+
,k}e e$E
R'h%Tj
kE<P*l:
_Qh:1Z
`YVL^)
a9KbUj
P-/5)'
{8d>:s
"<\-#.
;O-w:$*-
-d!O\F4
n_C{o[1
O)XJ!']
O-{qjH
Ze6`z+r{
Fu^WQz
2],\BBS
Y28-Rn
cl/hS-]x
M%SF~eN;
,}o(:T
7Yd;g}"
^;)>oZ-Pl7
cRG?^$6+
jGqEL5
[e_yGY
y91-"s
T),h8(
9fVP~W
8,[7VIo
@x1R~fX
gW;U_$
&cM)^:
/b<j%`j
G[I-m'a
96dp6
Inv7*@H3
C@:^2*
cj3C{$
2cm<xL
`?+mYK$
xe&6d@
W7q|H8
N5O6<sd
{4lnn1v/
2$yoI:
Q6c3Q
?,8\(-M
+u\;Sd
W4$p&E
pDR&zW
E=OgJC
R8@7QM=
#(EUr*q
*^d]-
lI7646
4NU\h
B?Uhh)
zWwF0cY1
/Ov3k@
1v|oaj
i<{4N.
"k%BIZ
5gLyc{
+%OWF
lUPHl{
wjwm_}w3
-76o_N
HoSWvw
&Z^&u(
,P{#]%ja+
)8n_CA#
\2bXWN
BVg_p[
eC]%`/
G7O'(!
k,?M[#
V5TTG8
AQfu*b
xoX#tLR
rmU$Lp{
=SOg:
i&9-g-R
phMc-t
\`QtF+P
`c3>=RK
z+)YRW%
IW6ej3F
e>+9$%e!
&\]zR'
C]h.p2y
6wr[vx
hN7~%#
"b&N6,
YB{ewK0
4m>DyPb
rk^M!w'HT}
f,ph6q
gWVAI4
{@2fIw
WN/j`}
m`/uxUI]
SV[zL7
d&.P/zF
_gxa|s
s?s'2%`
ve(O5@|P
gS,)\hZ}
&Dn4(uk
CZ_}!m
_;BI<f*
Q't!gV
.w*M^<}
38;N.AP
+^cN{~
+z\?~F
[<#rgp&d
kT/8-z
9Lx\B)
w9nM}f
6V>^6I'
A]>Rh'
)(vU}m
TCx*^f
az#C;|
sjMw s
v?.z<R
rH-j8ia
5Nw,b5
ouiQ{=
ThI<J:
g}8@Xr
Q*xMEo
0%!IBZL
{Iz1b^
++u C6o"
OPB;mD{NI
SB+0rHk]
nQ>WK^
GJ^alZ
7zWqH+$P
w\1PQI
Y(m+vz
;Nvv(j
T,VzLq
k<iUL
HW9)n,
+Qvr8b
Dk:6$B
MQ'mHV
]3i#@L
BG6<J8b:
xC:EHj
:H@+{~
w6Re&P
+5QK^;
<uM^E?
+YgoIl$e
~S663[u
1Sc)4/
:0B$0V
Yt<$lBk
u~lEx
6FW@N7I
(!ka@-
62\-)-=|
dFr5m|"dH
[.kA|"
+nXi0+4
~a,*eV
WB%z_c
f`[[2GO*
>4r&'J
cwm/+]
>.)"{Yb
dSQW84x*u
>h}.;jab
<TY[a4
B)\OT8v
B%t.S0
n.TdU8
+$L5v6
4~|P;
y%UO]c
[%KNTt
'y:@"L
Yl$3jU
h$fZ[{
2KO9n*
xB:J7i
z6B(HP
<Z[0y#
|^+$l2<G
w]*Z<p
p^nj*;
~FDmsj
#S2en"
t\DHgH
'xKaO/
%0e{WS
L]B}hu
*{XA*u
T{~-!;
=Vw@8E*R
)qPDSM'
&,_[(zMcT
-KYV2v
K;t'>O
4Y@)@EN[
?WeI"2
)N{V.gD:v;>
t6cf?KkW
)d{GB=W
'ddLt?
/Kl{8n;;
t_-0=-
vE:,zt
Z1,/GMC
h0pzq9G
ei8BGJ
'g[io/
7 Zn|]P
:;f6Zh
S45c IAD
aom{tW
>CI-iCg
+S3|W*
M1 p(G
se_:!d
l3HxF
tn*A'
)r=b.=
@:TPl{
E{:5`l
i$|*slz
&HldrQ
v|wam(
uLXuQL
;Bn;L%M/
OX<16pU
9*-9-'
l**)Ru
D>-,-m
Xyuu.m
TCieTz
mwdtbx
aSlww5
H\U,h9
~TyQ@4
?kIM9r
%5.!$0*
\Sc2,H}
ndiB(W
RX<]-O*
!o._|d
|!&#OK
^f_pu2oS
(eb:UJ
8(%r)w+
veF_G;|?B8{
HdHr*nTT
Jl6TGr4
tDvF:,"
-Pb9@F
^"Jq<V{h
"2?2]
iQphHo
W&4z6W
%heED
8wg\hG
k;+[M2
3rOV0c_
#!w@hs
Vx/vg,/
i=e_/#K&
?z,U[>
`5a"|-
7.GRX^r
Vo.YTq
LgXqu3%*
Upzc(xMm
+~[C;u
3Q!$E+"
,,GCxT
{ZsP6c4
]E7KP|
!Ku"9h
KsH=N)/
offcfK
6Ozc,G
4WG00!
/uSarA
wg&H{Rj@m
=*2m-U
=fiTLee9
sq#&J.
g3nE1dy
Q=Iz%%N
PW(~KkX
MhBhR$2
JL8#:2h
t/ q&$
7*rYyV
f9`qH'N
e#?<Bv
{3kzAC
{XIqeR
K[iwyk}
y+\6Fb
<Bq|#U
~P\MW#
]|Mdu|*
/vnmmQwxB
ivb Rk
l1k,x ~d
|FBRT3
+nga#
'/N"Hk
;O[Gh6
EatFLq
aP_{.
]=..^`]G
="WDivb
dIMy<!
+Ns*~
jM~+5/
=ubNz"
:zHWX&
dG:)BD
=w\M5dR
&eE:N*
_Vx$mi>XY
UEzM7MP]
i1i,pJ#!-
r$Ae;cp
=fHR>k
:"tF]j$
BY-`W
uAgPqN=o`
X\'bA]
&$@.*vB
f9] o
YFe^(c
ux&X;\"
7?j4O8
7XvhG%
^`qp"3
NI-&Xqo
eoaK]Kk
.W[pZnY
&' XSy
yK,8Z_
}6EY)|
hSV9wT
RE=A0[
F4YBGAO}
x fADuG
ymnSV#
>9.T)5
f2EYg;
qKX@k8
E`+nyYu
#r^?mnO
q\H]';
Cr )J/
W#&z_"_=_
C+Pmfm
^@5WEB
HNa;*-
i#u]^
V0U)\kat
$)r?Qo
M.}m44
(9 +-Db
nRq7Ti
W{rU/n
-sVT0E
PW-hS
Z3TgE]
9XB/=
cM2Ol4W5
KFnfgK
:D8B-v2
bI{&@w
@CqGa1{
4dr$H|k
(%}_57
rPZCNF
JJ(Te}
7aKg-\
%9Jc<>
D9QT/WW
GiZK?]G
@umzSt
7H*#'s
m[y@#c~2
-}5ZY{
[t}5tz
a9YS8##
]BnFh
OlQ!YP
NYgF!@^
{:Z>_yV\?q
EpHsWjU
$@s*"3
m1(*VZ
P2Ku3\(
lIWJUK
b{w2`W
t H.hP
!p<iT>
6\o63d
ZU|) (1
($;>w+
;D2o B
o QWF;OV
TlNk0>
6gg\<Hl
n/N\Fx
{v@+Xj
Qf"'aD
>IE !O{l
dxY`o?I
:qn~AFs
SlF-Z>ZM
O'.cDZ
^?1_8X;'0
UJrWb&_
d`=511
rvIr.y
`V64oi
|ogN!#
tdgULf
bAKNoe
e*SH37g
;%0:rC*i
B0nb1h
*(Y7_^
0:H~lh.
X^zitX=
5$?7Hlu
rCXg{$
fbjLOG
d'%lpl
b6!CG C
Zq?0kw[
8e1!yy{u#
#$j7{#
1c '"4l1
[pm#%8
qT=@f0
tE]}&,)G
[memM,
69VYvg
#~[~c7
m>=L:1
b>U?J.
k_B"d|
X5WK8)u
+VDRm~N@
:0,C4y
fH$Rqg$zf7
r,2G5g
3D|d?
Z:vfO?"Bef
MVjB8R
6ORMd8D7X
HP~s|)
;$%EL6
r$Umx(
}g]ksp
Fk]-tN
NP<<VU
U\G*=_
a[5jl=gmj>
{m3v$~
wG*hxt.
CZIIx
-tIH8H
[r0BaO
;@a|CV
mzvs<1
yU/4q'
i2;eZF
(g28Pc
Iq?>y>F3
Hq(kP`y
DrU8Qb
*CKiG&
|a@{ZJ
K_-p"x
0ye=AF
@*RD[2
grkNiq
lvNQ+i
UL 6|$
#-Wp\KLE
q1ARn/
^mJk-f
K_qp"c0
D\zZWs0
LZQ:~Z
*gQ6fR
8v9"Ga
H!~xi`g
HQTGr~S
o>w5(dH\Q
'IQ`ET
zpIEtv9
~JU|ri
'FXQHG
PRI?@
^EHO2O]Se
1XHXLI
F;KuXQ:F
v=c]{t
'o()WT#G@
mjE@iL,'
agGT^
b~yd_A
Kpbg/[
g56(3G
U^3<Kn
uI0t?Bm
Zkx Dc
0GKjWGL
N3K!27
bu('}a
jY|'fO1^
VQxpa@
h4BSI{
t-=x.$<<5
4_oJ|#
aE071$2
^s/QPN~
X $lHV
&]@3Q\
wU\V03_
\HO+Wr`{
Qs1a)Z
5rt|]o
~$>'M$,v
Pt>ZZt
Y'+CY 7d
<w:9~q}
eDrxG>
P@b[("
F?MTko8
W%#:"oG,@>
.$MQTdu
A/n\1
"^f/f=?f
`OEYwj
-U*I_b<
GYxUL
2Yr,]XW
TP-}1
:ZZv/z
S&* B:h
A0X2Ham
5tWGL[5gz
j;iJ/z
*10`(e
;T'aT}p
ede$A}
p-<s`
$y[7=%
[0qHg6
i4N&E?m
yLaU5TA
K9fQKH
J2ySG$k
AH2lUs
WMCbGVjJ,
~DaUR}L4
n&&7%t
N=Fyf"
&w6"\v
U5rTee
blV{wo
Fp,=w8
%)W^v0
WYAd:keA$
Mmv).i
UmBm.W
&\X&)zms
"yHRR88{
L-Nwo}U
H.*INX
)`H?/B
0A#0&]
s*m*Ho
w'eLu
10W Nu
@^2-z#95
8n)vHDw
j5>(\-9
=v,RHO
I5v8^dj
Wm*LVj
bm!!}q
%B.N*^
{dxR3X
r6kXU9
n"Ue0J.
@WGgim
Yr3U*p
@E)4/(
2\ZV^SQH
ll%.`d!
[5-6lP
)V(?S8
TK8$
Yl<&go
Opew!!
yz!r,{'bxO
/#sb^B
[&G?:M
<3jUSc
cNW9u<
/@8 3}
+S<v `g0
[YMt`V
}:>Bx}
^2*%VA
mU?+i(
JM^dM>
,Po#r
h<~Cke
}drJzsT
R"H3L
'S53|X
hpax\"4
Qv>;=v
,]1]C;m
GUtr/\
(W)%?{/)
&bTR51O
a+VQ"\
'-X[77
+gFuf(v
B4:eN0
8Eh[$Y
M[Nx,BC:
o$&'M"
w[$+A
H_z2^7Tn
%.L Rs
1N&:s6X7
(8%r-Iz
d+a*46z
ux-e%l
L;Q"T*1
Mtyi\!
^]3QkY
=Z>B,a
fQmGIA
KXy%j&
tRs-('
(y8"H=<
^kh#ca
rRx+UH
q}d)\^Qzg
6i}z15i?
q9#ynL
!3@ea%4w
0:Q):J
6@(lP!
oS=>7%
FyJ([m
~A}zg\,
yNm_xQ
nuC[AS5z0
XB]wqI
/n^^bFb
NI~HF*y
Svm)WR\
|I. t%
AI(.?j
;SO8CT
V(Pwq[
Ktk0gt
C0v_H5
f3$Try9
G<E.p@A
%JwY;R>
),nSA,
%\wWXG
3 Tt)o
"m r<[
jnazTme
iOLW$qU
G]eL.v
X*\XeM
LBw#6\
,WJQLe }
]']RGc
y{^wnv
xJVQiv
y&{#+^
?j$h2HS
\d%a`E
B>jY1^
?tMs$C
]XTnQ"
:.Z4b+5
\UWy>ZR#Y
;F65ZPc
=8(|YD
s-06E|<
uUUQTdQ
.Ds`S
NkJVa/
}=PVA2
6lAb%/O
x8!FbV
2}iCm4
nSq.L}
NgxO04R
CQ3I-k
NMP1!n
$n%32SN
:A!W@E
c5I"'4
TT j-d8F$o|%
p EW>K3
aab@ti
a+Cyl;
exNYgU
El+BPc&
[G11A?
JDT'Y((
5M-0)Vi
W2dgfhq\
|'L&49
5w]]{4i
!<nI|
B T0w]
aEh-]p
Pv4kw-
EFQ1ts
Q==8\t
lXC2je
f>]HA0[
jf.HCPV
HqHEkN
K_$tz-
MXb/0.
yc3{nAS
/#vdgl
l|UEMR
P\O: ho
yNG7f[
^*15mY
uhTjS)
>UMAWIt
|3M3m2gH
H8*NpH
Zd)z"m7
\bCuB-
q{~s3JNF
u}'DW8
I(RHglO
*5qBAA8yo c
aO8YA&
3VUwA4
+Q9_!
UMW7EI
DX(K%Kj
J3TA(@
1R_Z)]
C(=XX{
e=dQPI\sU
V6IqmV;Aje
CI/oi
Q3d]tT
x!MeZC
"p+>e-B
^!GP@}
|/E*lB
_\\{Lz
j\5 <;
iz?Ky
HI-gCS
Blg&s9k
q~t{*5
Q_!po"
W xym]
3KkE*Ol
'w;<To
sKA'f;>
<F+sP9
~1dK7-x
674I(8
WG<m4
U:4IvN
qA(/cV
t)y`_R:
*"m7?%
~@1W}0
RO x)F
Fmp.-s
A7?`&4
sK"/|(
'Ol$mUCE
T9Vq})
[x!4M_
J^t!hp
,Qdrl=\sB4
ZOmNY-
PF(E?K
^73}'X
<N5GK&
:+?\>j@
nnAj1\A
$wj7AW
c]{&7x4
:BJPQwL
-+>ceg
`z<fM|54
`{Azf|
ZVy97;
0d7%C^
pZ(ppD
|6As(F
4XWNeU
L6i.J@
!!fN4c
q .jSiH
?$2l3Z
X<e)G@
;N2LI5G
Y!n(#`i
KF^~1W
`rov~t
&!akc9
{x'2*i
]Gd#%?
Z%Kae=:
.d?'f[
%`H;++
T35}}D
fzA?"zJT
"lQxR1
#!v *T
Hs;Ti]z
E=f#)-
Y,)C;;
ww9keC
5u3R?I
q{vQ'r
zS^a*{x
AddTrust AB1&0$
AddTrust External TTP Network1"0
AddTrust External CA Root0
050607080910Z
200530104838Z0
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object0
3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
http://ocsp.usertrust.com0
9f*<Z,m
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object0
100510000000Z
150510235959Z0~1
Greater Manchester1
Salford1
COMODO CA Limited1$0"
COMODO Time Stamping Signer0
GS@(YC
1http://crl.usertrust.com/UTN-USERFirst-Object.crl05
http://ocsp.usertrust.com0
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object0
110824000000Z
200530104838Z0{1
Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 20
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
http://ocsp.usertrust.com0
Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 20
120504000000Z
150504235959Z0
M2K 1J41
22 Elkhorn Dr., #2511"0
Topala Software Solutions1"0
Topala Software Solutions0
P,&See
https://secure.comodo.net/CPS0A
0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
http://ocsp.comodoca.com0
admin@gtopala.com0
Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 2
http://www.gtopala.com/ 0
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object
120517035045Z0#
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0x%08x"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not initialize OLE
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
HideWindow
Pop: stack empty
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: error, user cancel
File: skipped: "%s" (overwriteflag=%d)
File: error, user abort
File: error, user retry
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes failed.
SetFileAttributes: "%s":%08X
BringToFront
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
~nsu.tmp
NSIS Error
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
%02x%c
Unknown
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
GetTTFNameString
Version
/ P6pL
,/KPip
/-P?pR
MS Shell Dlg
RichEdit20W
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
MS Shell Dlg
RichEdit20W
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
MS Shell Dlg
RichEdit20W
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
MS Shell Dlg
RichEdit20W
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
RichEdit20W
msctls_progress32
SysListView32
Please wait while Setup is loading...
RichEdit20W
msctls_progress32
SysListView32
Please wait while Setup is loading...
RichEdit20W
msctls_progress32
SysListView32
Please wait while Setup is loading...
RichEdit20W
msctls_progress32
SysListView32
Please wait while Setup is loading...
VS_VERSION_INFO
StringFileInfo
000004b0
Comments
For additional details, visit PortableApps.com
CompanyName
PortableApps.com
FileDescription
SIW Portable
FileVersion
2011.10.29.0
InternalName
SIW Portable
LegalCopyright
PortableApps.com Installer Copyright 2007-2012 PortableApps.com.
LegalTrademarks
PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename
SIWPortable_2011.10.29.paf.exe
PortableApps.comAppID
SIWPortable
PortableApps.comFormatVersion
PortableApps.comInstallerVersion
3.0.1.0
ProductName
SIW Portable
ProductVersion
2011.10.29.0
VarFileInfo
Translation
<<<Obsolete>>
<System Information for Window
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
ALYac Clean
Malwarebytes Clean
Zillya Clean
AegisLab Clean
TheHacker Clean
BitDefender Clean
K7GW Clean
K7AntiVirus Clean
TrendMicro Clean
Baidu Clean
NANO-Antivirus Clean
F-Prot Clean
Symantec Clean
TotalDefense Clean
TrendMicro-HouseCall Clean
Paloalto Clean
ClamAV Clean
Kaspersky Clean
Alibaba Clean
Babable Clean
ViRobot Clean
Rising Clean
Ad-Aware Clean
Trustlook Clean
Sophos Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
VIPRE Clean
Invincea Clean
McAfee-GW-Edition Clean
Trapmine Clean
Emsisoft Clean
SentinelOne Clean
Cyren Clean
Jiangmin Clean
Webroot Clean
Avira Clean
Fortinet Clean
Antiy-AVL Clean
Kingsoft Clean
Endgame Clean
Arcabit Clean
SUPERAntiSpyware Clean
ZoneAlarm Clean
Avast-Mobile Clean
Microsoft Clean
TACHYON Clean
AhnLab-V3 Clean
Acronis Clean
McAfee Clean
AVware Clean
MAX Clean
VBA32 Clean
Cylance Clean
Panda Clean
Zoner Clean
ESET-NOD32 Clean
Tencent Clean
Yandex Clean
Ikarus Clean
eGambit Clean
GData Clean
AVG Clean
Cybereason Clean
Avast Clean
CrowdStrike Clean
Qihoo-360 Clean

Process Tree


SIWPortable_2011.10.29.paf.exe, PID: 1440, Parent PID: 1312

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.102 137 192.168.128.255 137
192.168.128.102 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name cad6f3c6c8a6f65f_appinfo.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appinfo.ini
Size 471.0B
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 dc54f7487c7ebb404912d59c7c076bd3
SHA1 6cdd2f6cbd6ac8b11b3e8454ae195b967ffb710a
SHA256 cad6f3c6c8a6f65f7cf388d6d615267e61e9f02d2505011e7caaf0668819a0d4
CRC32 B902888E
ssdeep 12:kih/LKAm/uY0yh8F00y42bvAL79Q021vOrHzNVvM:kIkuYv+jy4bQ02pOrTE
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 1052bda69dda0c4a_license.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\Data\PortableApps.comInstaller\license.ini
Size 44.0B
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 db36c1ead29ba787daa9ea7a98bc27f7
SHA1 8c8fd1a6b0e38c71a048924e4ebac51d60b8740c
SHA256 1052bda69dda0c4a04ef3ef9465007026ca5737a2296e7539529871029024f42
CRC32 77606081
ssdeep 3:WB/WyJXLpkzGUov:WppXLKwv
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 2c2777de879bca35_iospecial.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\ioSpecial.ini
Size 1.3KB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
MD5 3ccb0e78f6e0ef322ab2a59bac80ba1c
SHA1 8cd3667f678ab44083eda09070907721a340b96b
SHA256 2c2777de879bca35b2be967140cee078fa7140fc9913be851da3aad545add17c
CRC32 51C5BE10
ssdeep 24:Q+sxvtSSAD5ylSXgqWCs7y6GuLk9ni/6k8lfdn7CsGNC54u6v4dnx3HTCaH65Oaw:rsx9AQSwqQkuVN8ltnSduxeaNUe
Yara None matched
VirusTotal Search for analysis
Name 0a9a711b205dc87b_modern-wizard.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\modern-wizard.bmp
Size 150.9KB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type PC bitmap, Windows 3.x format, 164 x 314 x 24
MD5 55204d08cff24975e88885403f13fd59
SHA1 1aad4f3ceb1c8bdd348385228ea3043f1f0b2427
SHA256 0a9a711b205dc87b6b0fe491253bc1ddb4a46a02f26ab622c209b1311125dd20
CRC32 95D95148
ssdeep 1536:BUPy+RPMI0gVQC6AKEbOOukOtYzpz400XveEDSrP1:2Py+RPMcQCDKzuJ
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 47b9e251c9c90f43_langdll.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\LangDLL.dll
Size 5.0KB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 a1cd3f159ef78d9ace162f067b544fd9
SHA1 72671fdf4bfeeb99b392685bf01081b4a0b3ae66
SHA256 47b9e251c9c90f43e3524965aecc07bd53c8e09c5b9f9862b44c306667e2b0b6
CRC32 A7504246
ssdeep 48:apTVWFeApYx2lxaKe3yfeEIWCGWNpBWLGGrx3pMt4z8mtJ7HofYZVSLa:RFG0xaKkyfjIWTW7BYrhSbmtJ7/V
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • screenshot - Take screenshot
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 6424fdb768fe8fd6_appicon_16.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appicon_16.png
Size 589.0B
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type PNG image data, 16 x 16, 8-bit/color RGB, non-interlaced
MD5 b5488f1b60ebafb89bfab287b68822c5
SHA1 59ed68157fc396ffa8513c30f0a9a6f607d0113a
SHA256 6424fdb768fe8fd6a857ca3c146a88742e636151173c819ab7036c319f79d78e
CRC32 C4243760
ssdeep 12:6v/7uNpsb/UomJUvv5wmsCVI/t32j2hTkm4ZQmxh/LdRJ5YFVODkEfyuZ:nTx9Yw2V4yaovQmHXYEz6Y
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 081c1286fd3b4c47_appicon_128.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appicon_128.png
Size 9.0KB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type PNG image data, 128 x 128, 8-bit/color RGB, non-interlaced
MD5 0f76be98f811080ff7eb1cfc621ba445
SHA1 5fb98683f862b8ed74eb00008238db06a8eae1b4
SHA256 081c1286fd3b4c479429ba59cb86495e1fe9070b2e5f42ff05b2a0e13e775e3b
CRC32 045E862D
ssdeep 192:eVvaQv1V/92iF0BPbL3Kf+9Iy36G9HsKdSK4ZDHgSvWrh8u6bOec+:eVSA1Vl28OTOmayzIZLu98ukO4
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 4371f3e2a08d31ba_appicon_32.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appicon_32.png
Size 1.5KB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
MD5 b73c6e55ea081ac22d8e3f2f4de96436
SHA1 32811dfd6bb3d15c1041f91cc616d9a1670d7b21
SHA256 4371f3e2a08d31ba62c35f6a9a750fe3490c01fc61497f8c5aa0d12fc80bf084
CRC32 6B7E36AF
ssdeep 24:Ufs+MPYkiTpqgXF/0oOdNrA5ODCfWYUDYHrh9qtKBo++r/qSGmK4D:n+MPJGH18T8ODeUM+4a+iqrmKe
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 1b8b1d3621047db1_siw_init.xml
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\DefaultData\siw_init.xml
Size 1.0KB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type XML document text
MD5 abd439b2bc77738136ebeb65898ec08e
SHA1 160c8b873d6faa6b51389cde3a501eb27bd91ed0
SHA256 1b8b1d3621047db1a157075df26548e3afffa9e06e6d3efeef3d98bbed224555
CRC32 77D6E8AC
ssdeep 24:qwLSutDF1B+XMqib9qmVMUk3B6S2b56xoG6swSBkn:/DF1B+XMqihqm86S2bYx+swSBk
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name f530069ef87a1c16_installoptions.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\InstallOptions.dll
Size 15.0KB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 89351a0a6a89519c86c5531e20dab9ea
SHA1 9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00
SHA256 f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277
CRC32 7FB8A1B8
ssdeep 384:/MnT0MKT/Xwr2izZQ86mpAT8F9lN8Ov0J:EQMKzwTFnVX8i0
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 0106f031540d166d_eula.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\EULA.txt
Size 3.3KB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type ASCII text, with very long lines, with CRLF line terminators
MD5 cc867d51ab45d9395333e675eae53d49
SHA1 f9a4ad14e726c74256a85590189b0f13a6d25365
SHA256 0106f031540d166de2c3f4f7959926c6f37fe2da2d3e1f290c68d9b6f4cbcf61
CRC32 2ED8A161
ssdeep 48:FeQ+Jvy+RiMev46S9BMmaXZX9BN+2MYbLUnH0/4D14cyFJV4QaIt1SvxjZPE/LDE:FWy3cLNsX9BIUT615JQaIt0m//AHU55m
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 54f89794e612d22a_appicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\App\AppInfo\appicon.ico
Size 48.2KB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type MS Windows icon resource - 6 icons, 32x32, 256-colors
MD5 9461f6fe8fb48e821b00452c05b5de6c
SHA1 5fbf017d67e0547b800054fe2ff33888e50aadca
SHA256 54f89794e612d22a5914a9e7d67ab8dcdaf141e254bcd806a48c0aa5537df4be
CRC32 7EBE70A8
ssdeep 768:4g2/zyRLVq01PCTnpPUGAottQyAVnmjl5jUei7BeR3zkPoJ5/qiG9:u/+m01PonpPAottQzVnmRlU3l2zkAf6
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 53bb519e32931649_w7tbp.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\w7tbp.dll
Size 2.5KB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 9a3031cc4cef0dba236a28eecdf0afb5
SHA1 708a76aa56f77f1b0ebc62b023163c2e0426f3ac
SHA256 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
CRC32 FF2B5710
ssdeep 24:etGS4R/39doyOzHaikQ7I9lYFxu3GUY1Bk5L2:64RVdojLJGWnWMi5L2
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 7851cb12fa4131f1_system.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\System.dll
Size 11.0KB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
CRC32 81CA71BF
ssdeep 192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 7c66711e420b2105_help.html
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\help.html
Size 1.4KB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 2e503e6d0d804ec00d57401e68354f82
SHA1 fb4c4b9011656f16ce2a22c117f6f61ac679810c
SHA256 7c66711e420b21056918dfba26ce6e8ed2b5bc09b1b059c577ccce3cc1bdc921
CRC32 FF9A312B
ssdeep 24:hM0mIAvy6RTYJJPF+hYNGMP+Vpdp6rwkssqIqhCg9FMxPA9HA92doKA9Zz:lmIAq6liPF+qGNVpd4ZqFCgAC2UdoP3z
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 3cf22fab563cde1d_siwportable.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\SIWPortable\SIWPortable.exe
Size 2.4MB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5 3fcbdd374dbc5e2887f4e193dcdd8c1a
SHA1 06c5f8ed72360e9a77c0f916c5cdbeb051819195
SHA256 3cf22fab563cde1d9d8962cfc5447c98b06e3005c5421757b001cc2306645bfe
CRC32 583C4E7C
ssdeep 49152:4KLWpzCgNGXg1ztJBi00YcJRwQEa3B5N5q1abtMj8L3opSxR:bWpztGXg1xJBGYcJlh3RE2kOh
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01086_Microsoft_Visual_C___8_0__MFC__ - [Microsoft Visual C++ 8.0 (MFC)]
  • PEiD_01587_PeCompact_v2_08____Bitsum_Technologies_signature_by_loveboom__ - [PeCompact v2.08 -> Bitsum Technologies(signature by loveboom)]
  • PEiD_01588_PECompact_v2_0_ - [PECompact v2.0]
  • PEiD_01591_PECompact_V2_X____Bitsum_Technologies_ - [PECompact V2.X -> Bitsum Technologies]
  • PEiD_01592_PECompact_v2_xx_ - [PECompact v2.xx]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • PeCompact_v208_Bitsum_Technologiessignature_by_loveboom -
  • PECompact_2x_Jeremy_Collake -
  • PECompact_20x_Heuristic_Mode_Jeremy_Collake -
  • PECompact_2xx_BitSum_Technologies -
  • PECompact_v2xx -
  • PECompact_V2X_Bitsum_Technologies_additional -
  • PECompact_V2X_Bitsum_Technologies -
  • PECompact_v20_additional -
  • PeCompact_2xx_BitSum_Technologies -
  • PeCompact_253_DLL_BitSum_Technologies_additional -
  • PECompact_v20 -
  • PeCompact_253_DLL_BitSum_Technologies -
  • PECompact_v2xx_additional -
  • PECompactV2XBitsumTechnologies -
  • PECompact2xxBitSumTechnologies -
  • PECompactv2xx -
  • pecompact2 - PECompact
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 6eb09ce25c7fc62e_findprocdll.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsu3.tmp\FindProcDLL.dll
Size 27.5KB
Processes 1440 (SIWPortable_2011.10.29.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 6f73b00aef6c49eac62128ef3eca677e
SHA1 1b6aff67d570e5ee61af2376247590eb49b728a1
SHA256 6eb09ce25c7fc62e44dc2f71761c6d60dd4b2d0c7d15e9651980525103aac0a9
CRC32 F238428A
ssdeep 384:DZoRF0XXUuJReQg0Tw67ADWBTgmldIogUD3GLgFmyaX/fVYcWJQCDmrinogRdBl:DZaF0HtTwuz9yu3KgwRX1nWJ1q+noI
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00138_Armadillo_v1_71_ - [Armadillo v1.71]
  • PEiD_00153_Armadillo_v1_xx___v2_xx_ - [Armadillo v1.xx - v2.xx]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01071_Microsoft_Visual_C___6_0_DLL__Debug__ - [Microsoft Visual C++ 6.0 DLL (Debug)]
  • PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__ - [Microsoft Visual C++ v5.0/v6.0 (MFC)]
  • PEiD_01103_Microsoft_Visual_C___v6_0_DLL_ - [Microsoft Visual C++ v6.0 DLL]
  • PEiD_01108_Microsoft_Visual_C___v6_0_ - [Microsoft Visual C++ v6.0]
  • PEiD_01125_Microsoft_Visual_C___ - [Microsoft Visual C++]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Armadillo_v1xx_v2xx_additional -
  • Microsoft_Visual_Cpp_v70_DLL -
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Microsoft_Visual_Cpp_60_DLL_Debug -
  • Armadillo_v1xx_v2xx -
  • Microsoft_Visual_Cpp_v60_DLL -
  • Microsoft_Visual_Cpp_60 -
  • Armadillov1xxv2xx -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nse1.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 621
Mongo ID 5c36149711d3080d16cdc65a
Cuckoo release 2.0-dev