File WinMTRPortable_0.92_Rev_2_English.paf.exe

Size 1.8MB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 179b2fc717a382a6a1d5496670eecccc
SHA1 a1d46afeefb8916e80ace63d14ceba43918e8fea
SHA256 7357e786c047e96f887d669540e53fe3e96ac3c638eae10641d4cbc22d66d1f1
SHA512
e1e8f4a05702f200fdd916fd4e977b940b0063565c7c13d77714492c872af0c8dd4bbddf85e025bdb64a035b7e4a6edf697c58e9a7465f2b391d8087f5102e3b
CRC32 AD64F967
ssdeep 49152:89Zon8e9Qx32mGkP59AWB0D9PpxJ4DGQuAXfFT67338:98e6xDGkPwlEGGXflcc
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -

Score

This file shows numerous signs of malicious behavior.

The score of this file is 2.0 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Jan. 9, 2019, 11:37 a.m. Jan. 9, 2019, 11:37 a.m. 20 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-01-09 11:37:38 2019-01-09 11:37:58

Analyzer Log

2019-01-09 03:11:59,015 [analyzer] DEBUG: Starting analyzer from: C:\phamdlezsj
2019-01-09 03:11:59,030 [analyzer] DEBUG: Pipe server name: \\.\PIPE\MxYKruMRIwazAMrVPqqKNQoNxDigTSoK
2019-01-09 03:11:59,030 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\KPrSnDbBYvZuairkCk
2019-01-09 03:11:59,030 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-09 03:11:59,030 [analyzer] INFO: Automatically selected analysis package "exe"
2019-01-09 03:12:00,655 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-09 03:12:00,828 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:00,828 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:00,890 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-01-09 03:12:00,890 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-09 03:12:00,890 [analyzer] DEBUG: Started auxiliary module Human
2019-01-09 03:12:00,890 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-09 03:12:00,890 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-09 03:12:01,296 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-09 03:12:01,296 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-09 03:12:01,421 [lib.api.process] INFO: Successfully executed process from path u'C:\\DOCUME~1\\zamen\\LOCALS~1\\Temp\\WinMTRPortable_0.92_Rev_2_English.paf.exe' with arguments '' and pid 1440
2019-01-09 03:12:01,515 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:01,515 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:01,671 [analyzer] DEBUG: Loaded monitor into process with pid 1440
2019-01-09 03:12:01,828 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nst2.tmp
2019-01-09 03:12:01,875 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\System.dll
2019-01-09 03:12:02,030 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\FindProcDLL.dll
2019-01-09 03:12:02,280 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\ioSpecial.ini
2019-01-09 03:12:02,390 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\modern-wizard.bmp
2019-01-09 03:12:02,500 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\modern-header.bmp
2019-01-09 03:12:02,500 [analyzer] DEBUG: Received request to inject pid=1440, but we are already injected there.
2019-01-09 03:12:02,530 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\InstallOptions.dll
2019-01-09 03:12:03,108 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:05,250 [modules.auxiliary.human] INFO: Found button "&Install", clicking it
2019-01-09 03:12:06,280 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\w7tbp.dll
2019-01-09 03:12:06,358 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\WinMTRPortable.exe
2019-01-09 03:12:06,390 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\help.html
2019-01-09 03:12:06,390 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\readme.txt
2019-01-09 03:12:06,405 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appicon.ico
2019-01-09 03:12:06,421 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appicon_128.png
2019-01-09 03:12:06,421 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appicon_16.png
2019-01-09 03:12:06,421 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appicon_32.png
2019-01-09 03:12:06,437 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appinfo.ini
2019-01-09 03:12:06,453 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\Launcher\Custom.nsh
2019-01-09 03:12:06,453 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\Launcher\WinMTRPortable.ini
2019-01-09 03:12:06,467 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR\README.TXT
2019-01-09 03:12:06,703 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR\WinMTR.exe
2019-01-09 03:12:06,937 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR64\README.TXT
2019-01-09 03:12:07,203 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR64\WinMTR.exe
2019-01-09 03:12:07,375 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:07,453 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\donation_button.png
2019-01-09 03:12:07,467 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\favicon.ico
2019-01-09 03:12:07,467 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\help_background_footer.png
2019-01-09 03:12:07,483 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\help_background_header.png
2019-01-09 03:12:07,483 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\help_logo_top.png
2019-01-09 03:12:07,515 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Source\AppNamePortable.ini
2019-01-09 03:12:07,515 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Source\License.txt
2019-01-09 03:12:07,530 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Source\Readme.txt
2019-01-09 03:12:09,421 [analyzer] INFO: Process with pid 1440 has terminated
2019-01-09 03:12:09,421 [analyzer] INFO: Process list is empty, terminating analysis.
2019-01-09 03:12:10,421 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-09 03:12:10,671 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temp\\nst2.tmp'" does not exist, skip.
2019-01-09 03:12:10,967 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-09 11:37:38,323 [lib.cuckoo.core.scheduler] INFO: Task #639: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-01-09 11:37:38,486 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 9713 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/639/dump.pcap)
2019-01-09 11:37:41,075 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-01-09 11:37:57,785 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-01-09 11:38:25,646 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-09 11:38:27,544 [modules.processing.network] ERROR: Unable to open /opt/cuckoo/storage/analyses/639/dump_sorted.pcap
2019-01-09 11:38:36,737 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b503af6d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:38:36,738 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b52f41210>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:38:36,739 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b52f413d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:38:36,740 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b52f41210>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:38:36,740 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b52f41210>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b52f41210>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

This executable is signed
The executable has PE anomalies (could be a false positive) (1 event)
section .ndata
Allocates read-write-execute memory (usually to unpack itself) (2 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:12 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1440
process_handle: 0xffffffff
success 0 0
Jan. 9, 2019, 12:12 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1440
process_handle: 0xffffffff
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 5333524794310660
free_bytes_available: 197032500923203584
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable
total_number_of_bytes: 199284302364308578
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24101814272
free_bytes_available: 24101814272
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 0
free_bytes_available: 26761941418218
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable
total_number_of_bytes: 4296210764
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24101814272
free_bytes_available: 24101814272
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Creates executable files on the filesystem (7 events)
file C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\InstallOptions.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\w7tbp.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\System.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR64\WinMTR.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR\WinMTR.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\WinMTRPortable.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\FindProcDLL.dll
The binary likely contains encrypted or compressed data. (3 events)
section {u'size_of_data': u'0x00019000', u'virtual_address': u'0x00130000', u'entropy': 7.554461034271052, u'name': u'.rsrc', u'virtual_size': u'0x00018e88'} entropy 7.55446103427 description A section with a high entropy has been found
section {u'size_of_data': u'0x00001000', u'virtual_address': u'0x00149000', u'entropy': 7.876285501028333, u'name': u'.reloc', u'virtual_size': u'0x00000f8a'} entropy 7.87628550103 description A section with a high entropy has been found
entropy 0.724738675958 description Overall entropy of this PE file is high

Screenshots

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process WinMTRPortable_0.92_Rev_2_English.paf.exe (1440)

  • Opened files

    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable_0.92_Rev_2_English.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR64
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable
  • Written files

    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\favicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\InstallOptions.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nst2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\w7tbp.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR\README.TXT
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\help.html
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\donation_button.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\System.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR64\WinMTR.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\help_logo_top.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\help_background_footer.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Source\Readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appicon_16.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\help_background_header.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Source\AppNamePortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appicon_32.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appicon_128.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\Launcher\Custom.nsh
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\WinMTRPortable.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Source\License.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\Launcher\WinMTRPortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR64\README.TXT
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\FindProcDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR\WinMTR.exe
  • Files Read

    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nst2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable_0.92_Rev_2_English.paf.exe

Process WinMTRPortable_0.92_Rev_2_English.paf.exe (1440)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels
    • HKEY_CLASSES_ROOT\Directory
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CLASSES_ROOT\Folder
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_LOCAL_MACHINE\System\WPA\PnP
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • Registry keys written

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\BaseClass
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\DriverCachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OsLoaderPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogPath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
    • HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP\seed
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackCachePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling

Process WinMTRPortable_0.92_Rev_2_English.paf.exe (1440)

  • Mutexes accessed

    • MSCTF.Shared.MUTEX.EFG

Process WinMTRPortable_0.92_Rev_2_English.paf.exe (1440)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR64
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Data
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
  • Directories removed

    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\
  • Directories enumerated

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\*.*
    • C:\Documents and Settings\zamen\PortableApps\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\7zTemp\7z.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\7zTemp\7z.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\PortableApps.com\PortableAppsPlatform.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\7zTemp
    • C:\PortableApps
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable
    • E:\PortableApps
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen

Process WinMTRPortable_0.92_Rev_2_English.paf.exe (1440)

  • DLLs Loaded

    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsi3.tmp\w7tbp.dll
    • C:\WINDOWS\system32\SHELL32.dll
    • SHFOLDER
    • C:\WINDOWS\system32\browseui.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsi3.tmp\InstallOptions.dll
    • browseui.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsi3.tmp\System.dll
    • shell32.dll
    • UxTheme.dll
    • RichEd20
    • SHELL32.dll
    • ole32.dll
    • SETUPAPI.dll
    • PSAPI.DLL
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsi3.tmp\FindProcDLL.dll

PE Compile Time

2012-02-24 14:19:59

Signing Certificate

MD5 dbff3d4c5ea4d4b3737def9c6667d21a
SHA1 c836c41ae9eb8259a7317d5f4dc115f548529b42
Serial Number 03b4ebea7ae80b259dff94904506f5da
Common Name Rare Ideas, LLC
Country US
Locality New York

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00006f10 0x00007000 6.49788465186
.rdata 0x00008000 0x00002a92 0x00002c00 4.39389365097
.data 0x0000b000 0x00067ebc 0x00000200 1.472782261
.ndata 0x00073000 0x000bd000 0x00000000 0.0
.rsrc 0x00130000 0x00018e88 0x00019000 7.55446103427
.reloc 0x00149000 0x00000f8a 0x00001000 7.87628550103

Imports

Library KERNEL32.dll:
0x408060 SetFileTime
0x408064 CompareFileTime
0x408068 SearchPathW
0x40806c GetShortPathNameW
0x408070 GetFullPathNameW
0x408074 MoveFileW
0x40807c GetFileAttributesW
0x408080 GetLastError
0x408084 CreateDirectoryW
0x408088 SetFileAttributesW
0x40808c Sleep
0x408090 GetTickCount
0x408094 CreateFileW
0x408098 GetFileSize
0x40809c GetModuleFileNameW
0x4080a0 GetCurrentProcess
0x4080a4 CopyFileW
0x4080a8 ExitProcess
0x4080b0 GetTempPathW
0x4080b4 GetCommandLineW
0x4080b8 SetErrorMode
0x4080bc CloseHandle
0x4080c0 lstrlenW
0x4080c4 lstrcpynW
0x4080c8 GetDiskFreeSpaceW
0x4080cc GlobalUnlock
0x4080d0 GlobalLock
0x4080d4 CreateThread
0x4080d8 LoadLibraryW
0x4080dc CreateProcessW
0x4080e0 lstrcmpiA
0x4080e4 GetTempFileNameW
0x4080e8 lstrcatW
0x4080ec GetProcAddress
0x4080f0 LoadLibraryA
0x4080f4 GetModuleHandleA
0x4080f8 OpenProcess
0x4080fc lstrcpyW
0x408100 GetVersionExW
0x408104 GetSystemDirectoryW
0x408108 GetVersion
0x40810c lstrcpyA
0x408110 RemoveDirectoryW
0x408114 lstrcmpA
0x408118 lstrcmpiW
0x40811c lstrcmpW
0x408124 GlobalAlloc
0x408128 WaitForSingleObject
0x40812c GetExitCodeProcess
0x408130 GlobalFree
0x408134 GetModuleHandleW
0x408138 LoadLibraryExW
0x40813c FreeLibrary
0x408148 WideCharToMultiByte
0x40814c lstrlenA
0x408150 MulDiv
0x408154 WriteFile
0x408158 ReadFile
0x40815c MultiByteToWideChar
0x408160 SetFilePointer
0x408164 FindClose
0x408168 FindNextFileW
0x40816c FindFirstFileW
0x408170 DeleteFileW
0x408174 lstrcpynA
Library USER32.dll:
0x408198 GetAsyncKeyState
0x40819c IsDlgButtonChecked
0x4081a0 ScreenToClient
0x4081a4 GetMessagePos
0x4081a8 CallWindowProcW
0x4081ac IsWindowVisible
0x4081b0 LoadBitmapW
0x4081b4 CloseClipboard
0x4081b8 SetClipboardData
0x4081bc EmptyClipboard
0x4081c0 OpenClipboard
0x4081c4 TrackPopupMenu
0x4081c8 GetWindowRect
0x4081cc AppendMenuW
0x4081d0 CreatePopupMenu
0x4081d4 GetSystemMetrics
0x4081d8 EndDialog
0x4081dc EnableMenuItem
0x4081e0 GetSystemMenu
0x4081e4 SetClassLongW
0x4081e8 IsWindowEnabled
0x4081ec SetWindowPos
0x4081f0 DialogBoxParamW
0x4081f4 CheckDlgButton
0x4081f8 CreateWindowExW
0x408200 RegisterClassW
0x408204 SetDlgItemTextW
0x408208 GetDlgItemTextW
0x40820c MessageBoxIndirectW
0x408210 CharNextA
0x408214 CharUpperW
0x408218 CharPrevW
0x40821c wvsprintfW
0x408220 DispatchMessageW
0x408224 PeekMessageW
0x408228 wsprintfA
0x40822c DestroyWindow
0x408230 CreateDialogParamW
0x408234 SetTimer
0x408238 SetWindowTextW
0x40823c PostQuitMessage
0x408240 SetForegroundWindow
0x408244 ShowWindow
0x408248 wsprintfW
0x40824c SendMessageTimeoutW
0x408250 LoadCursorW
0x408254 SetCursor
0x408258 GetWindowLongW
0x40825c GetSysColor
0x408260 CharNextW
0x408264 GetClassInfoW
0x408268 ExitWindowsEx
0x40826c IsWindow
0x408270 GetDlgItem
0x408274 SetWindowLongW
0x408278 LoadImageW
0x40827c GetDC
0x408280 EnableWindow
0x408284 InvalidateRect
0x408288 SendMessageW
0x40828c DefWindowProcW
0x408290 BeginPaint
0x408294 GetClientRect
0x408298 FillRect
0x40829c DrawTextW
0x4082a0 EndPaint
0x4082a4 FindWindowExW
Library GDI32.dll:
0x40803c SetBkColor
0x408040 GetDeviceCaps
0x408044 DeleteObject
0x408048 CreateBrushIndirect
0x40804c CreateFontIndirectW
0x408050 SetBkMode
0x408054 SetTextColor
0x408058 SelectObject
Library SHELL32.dll:
0x40817c SHBrowseForFolderW
0x408184 SHGetFileInfoW
0x408188 ShellExecuteW
0x40818c SHFileOperationW
Library ADVAPI32.dll:
0x408000 RegEnumKeyW
0x408004 RegOpenKeyExW
0x408008 RegCloseKey
0x40800c RegDeleteKeyW
0x408010 RegDeleteValueW
0x408014 RegCreateKeyExW
0x408018 RegSetValueExW
0x40801c RegQueryValueExW
0x408020 RegEnumValueW
Library COMCTL32.dll:
0x408028 ImageList_AddMasked
0x40802c ImageList_Destroy
0x408030 None
0x408034 ImageList_Create
Library ole32.dll:
0x4082bc CoTaskMemFree
0x4082c0 OleInitialize
0x4082c4 OleUninitialize
0x4082c8 CoCreateInstance
Library VERSION.dll:
0x4082b0 GetFileVersionInfoW
0x4082b4 VerQueryValueW

!This program cannot be run in DOS mode.
`.rdata
@.data
.ndata
@.reloc
PWSVh@
#Vhh2@
Instu`
softuW
NulluN
SUVWj 3
D$8PUh
u}9-$.G
[j0Xjxf
D$$+D$
D$4+D$,P
PPPPPP
\u!f9O
QSUVWh
Ed+EL;E
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
Ed+EL;E
]4;Mhr
E89E0}s
u$9Uls
-)Uh)Ul3
Ed+EL;E
)Mh)Mlf
u$9Mls
)Mh)Mlf
SHGetFolderPathW
SHFOLDER
SHAutoComplete
SHLWAPI
GetUserDefaultUILanguage
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteKeyExW
ADVAPI32
MoveFileExW
GetDiskFreeSpaceExW
KERNEL32
[Rename]
Module32NextW
Module32FirstW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
Kernel32.DLL
GetModuleBaseNameW
EnumProcessModules
EnumProcesses
PSAPI.DLL
MulDiv
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
MultiByteToWideChar
ReadFile
WriteFile
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GlobalFree
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
ExpandEnvironmentStringsW
lstrcmpW
lstrcmpiW
CloseHandle
SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
GetLastError
CreateDirectoryW
SetFileAttributesW
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
SetErrorMode
lstrcpynA
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
LoadLibraryW
CreateProcessW
lstrcmpiA
GetTempFileNameW
lstrcatW
GetProcAddress
LoadLibraryA
GetModuleHandleA
OpenProcess
lstrcpyW
GetVersionExW
GetSystemDirectoryW
GetVersion
lstrcpyA
RemoveDirectoryW
lstrcmpA
KERNEL32.dll
EndPaint
DrawTextW
FillRect
GetClientRect
BeginPaint
DefWindowProcW
SendMessageW
InvalidateRect
EnableWindow
LoadImageW
SetWindowLongW
GetDlgItem
IsWindow
FindWindowExW
SendMessageTimeoutW
wsprintfW
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextW
SetTimer
CreateDialogParamW
DestroyWindow
ExitWindowsEx
CharNextW
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetAsyncKeyState
IsDlgButtonChecked
ScreenToClient
GetMessagePos
CallWindowProcW
IsWindowVisible
LoadBitmapW
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
GetWindowRect
AppendMenuW
CreatePopupMenu
GetSystemMetrics
EndDialog
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
DialogBoxParamW
GetClassInfoW
CreateWindowExW
SystemParametersInfoW
RegisterClassW
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharNextA
CharUpperW
CharPrevW
wvsprintfW
DispatchMessageW
PeekMessageW
wsprintfA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationW
ShellExecuteW
SHGetFileInfoW
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetSpecialFolderLocation
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegEnumValueW
RegQueryValueExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VERSION.dll
:hW2e+S
B-o@mm=
zV@uM5'
!l|]R~!
T0/~Aw
p]Dm6M
@Gk3o#
by/1YZ
s]go`Q
s}}=G
$3?U,d
Gpo/U,
OA]]5w
Garjl2
O@ntBz.
!hni`a
6nh[15
r(t'PN
ICCc+454
>1iT=TkD~
MqT~x^^c
GkcPUU
gi4blk
olj}xyGK
K6#hqHx
tw-ezo
m[aYW;dr9
"_` `
!JR6;-,
@ ah"5
4ocOY)
:JuN:p
YAHRqE
Z;z8}h
P{nlmP
6j;4F#
c{hdt
k4s}J6
NQ3T[]
CWVWin|
_A>VS*
LJ'VqWe
w^ZH=b#^"
{D6Ium
Da5V} #
aq4j"K`
BBL#%9
0[Z;$J
1]lBK/`
0B>i#R
Z\rMM!%
H1Vfgh
Zlp)p$
)]@$2c`%
A:[bf<"R
8W,9+p
wd-8:@
7Hrhls
JZJ!5[
nk$'5;x
Q#kaQ
7\IE,)
O<AO=J
m'QQhF
g76j4>3I
RZdBD PS
, '-c&
?Da[+/
"1?2,1$
RG !/E
D^+x3x~
tnyU6E
O&'&C+
;8*wEZ
w^}CB>
!KI+OF
;-*<f"
p\cOdK!1
Gu6:Zs@;
9GWgoR.
;EyNS
20n2EB|6"
yldHp
'!;"00
PGCTl~aD
*Ujrj
MSs34lw
V5x!4R
S&M7wd
qJvly
Sghv~^
j'_FtYDk
KiT*t|a^
ejE",+
y#v`[=
5\Kv'R
4\x$N2
e5@B},
V&'i{w
{X7.C/
jh.b)*S}
a$2f3Su
J@6.Ms(J
9l<x@j
OKgNKC
dj359AGVWd
i:6?)@
;jKoo0
\EnK;#@{
^|D.Ne7
=vdqH!HZ
wE~d0H
{49=Ii
/sNx,u
!%r@C6
cWEnl!
483`kby
0&DiYlB
~p7b7Y673
Hj\("XMF
vSH@al6
tcsgx?
7L#i:F
*4'f`N
_^tvAY
:27Q6,4N
;5<w%&E
HCIs&%
97(?86I
B<1Y44V
!:5<~35\
D>Fz/*
<4*F:5L
<:;t54]
@;>n3&
<61W:=l
D=,'7:e
D?<JSRj
FCK{YY~
85HO\^
8>t`NP
=<^[_a
GA=;KJf
HDGPC<&
LGLtPPp
MG>BJI]
IDBD $DQ47
((L0,/d
*,Va37o
94**wma
40%.qh\
83('[TH
B<0crj]
?:.O[TH
C=1V;6+
=7+1JD7cRL@
JE8g>9,3
*%4r84Cp,#
0*"?%%B
-+-V,+O
4()E10N
QNSfef
RMMRIB6
MG@.USd
NH=!$&`DQS
"'f/EH
LGGNMKg
VSUbOI:
23Qe:?|
+-]q8<t
MN{]@>i
"%SG,.V
QK?I^YM
SMALHB7
pD?>A="
HO@DFFDD'!"
pFOOHSNNSMFB&%
jPOPLXmjVKKWMEA'n
niM48KWREBm
f58ksIN
j8WUHBYs
0WZHBMko:.2
N2WUIBIikK.28
(/iTG3CJWf,+*
iJWnTM
9nM603CIf9
ojI4($3C6f,
gx7+JG0
]a]a]]
abbab]\
\bvv]zz`
;4F?>@6.,
IEFNlD89A4/k
c@G0Ln9'
a9G1<h(
B=#$@9
TU]USQY
`^^^sS
\FmT69K!
8b{kw~
baP`g|
_jlvzyxb^
]buxyubO
+&/d,-U
VSX\il
XU_^RL;
GGg]OQ{
(*^cCCk
[UISaYNd|sg
aYNde^RgHB6
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
0.0;0I0]0j0
111;1D1Z1a1y1
4#464G4g4~4
5+5;5I5W5i5x5
6>6J6[6z6
797C7I7Y7|7
8,888J8e8y8
979D9L9w9
9::T:e:
;!;2;A;T;
;+<P<w<
?-?I?\?o?w?
020T0y0
1#101>1J1P1U1[1f1l1
2'2B2d2v2
4/4o4t4y4
4a5r5z5
7.7q7v7
8!808D8X8
9+9L9Z9
:-;[;c;l;
?1?<?X?t?
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<2@2D2H2N2S2c2
3"3(30383I3P3e3n3t3|3
4"4(4-42484I4]4c4i4o4w4~4
5&5,5b5k5p5v5
6.6T6c6
80858A8i8n8x8
:-:8:>:C:H:S:Y:f:m:s:
;L;V;b;w;|;
<3<S<X<c<k<w<~<
=0=f=w=
>N>_>i>
?#?F?Y?n?z?
0'0D0M0o0
0-1R1r1~1
2?2P2b2q2{2
323V3j3
4%444@4I4X4
6#616i6n6
;6;;;Q;Y;^;d;j;p;~;
I0[0`0
0;1A1Z1
272q2}2
4"4/4C4_4i4
5"5:5]5m5s5
6.646B6H6Q6d6
767@7I7S7_7j7s7
8!828j8t8
909>9c9o9
:(:.:@:F:L:R:Y:_:g:r:x:
;!;';-;N;W;n;
<'<3<=<G<L<W<[<a<f<l<
=%=/=5=:=@=N=T=x=
>,>1>6>;>D>I>O>S>Y>_>v>
>"?@?Q?
1&2U2a2g2s2
3-3:3G3T3a3n3y3
4#4*484C4O4f4m4x4
576@6^6k6
77*757@7
8:8C8U8\8h8
9!9N9u9
99:f:{:
;#;A;H;`;u;
<+<4<J<U<m<v<
=*=9=C=M=
>&>P>^>e>}>
?2?B?_?j?
0Y0i0n0
223@3I3
5[>_>c>g>k>o>s>w>{>
0 0$0(0,0`0d0h0l0p0t0x0|0
NullsoftInstf
AWiR0|z
X2tbtV
<Bkb=lM
Vk)M?mP
:*X)Rj
P!r&KOiT
\1;z+<
M[ZB"d0
d,liF.
=pUUTM
w8kiQ(
$Zc]UF
m=O3{5
-S$V]o
1?ubu`
';5J@"
d_M,p-
Q\jv"Nl
MdwMN~@
d>P.QM
e o>XS
7P6"xv
yjAhA)
$!;Jp=O
fm5X>F
~KZDdC
2;hq|hw
}L.4ts
>%fZ#=T>
P'm))L?
y$bK~uip{
oD\nZ+dJ
rDvt>FF2
-h:%AjlH
EfXy(U
:%t2]$m
/\oS.I{
CiNx|g;H
0x7nbt/`
$~h_Y91*
Q&Ih&>
3@4X:G
bl+ie
al"K~)
Yjfo;c
(3.]HA
*;uQ>.
tsx<X"I
>8XL=u
ad!6~`
'1.r]n
7MOl?O
~ze=nf
%S7B,_b
9zDe-P7
e9 -H<H
K**zH</
'3<JZAZ
p*)DXw
s%v}+%
O)?!u0R
1''?#tP
TlUcK<
9w&e$*
F]m*U#
sE<?K#
[G:*dX
ej,JJ=J
j)p>]v
u#)(P}
Jd~_V8<FM
$xm?%m
Nl7:w&
eI( Z/
"n!*Fz
i'DHME
?H?:JMAXk
.]wh#;-
KxBb,W
%<t~8z@
9A.6K[
}*s4#Vw
fhk6 >c
&O9DAn
t;o(hu
%wF9*;Z
eO0$K
9/P_q(eBy
L]N:/vy}
G~,(>)
y!=&efo
e(yL>k
H'=yk'
]?Oj!J
Y=]ajw/y
sgz13y
R_/l%9G"
XSM<X;
4[S`$m
EQ/JV:Kn
^x9aOG
N5!Ykr
V$v!6-=
^ ]j@u
s8-)T
RB%dyT?
J0QhhA
ev-Yp*/
<kJS}!(
VfJdHk
'v@+@=D
ZmB=kc
gf|h#V
{Br7`$
%JNhGK
R\\bt&
nj~8+(fa
_M AVo
&;Nx|S)
H5"EL:
>Q0HcH
OJbhrT
mngPBO
K7s sef
>zNV=t
Hp\`e96E
t|nyjX
80)P-<
jAOY,
@hA>[=
rx?-O
F&]j<0sp
4{w!@
LkGdF{po
BktJa\
v@&`QGA
S}+z{%dtiV
H2*.'~~
aT!'IA
L}e{[&0Zx
oi^#E-mY
iOn[d+T@
$_abU~-
j00=/
yfv6^ili
mtQ4SU
")w=5>
%]{LHM
},q6@c\
ejVF!\
.0;#d{
"7TJP&
F!K^pG
<"y4Z
'6!{J6B
U' p(*
pYti>/
i 6Ld}NJ.
A/o:J~D<U
Q\DALVy
YM"RV\6
JTiVT:
',fn/uH:
O9y^-Q
E6k+!7
4~haY!t
Q+g4&9
wik|Sg
D/U_1T
D,2XV`
mL7'=x
vW~oj
LqEHJ
mZ5u$i>
y"O-">
)%phN,
c@{uYb
%Fi|u+
)%qWGm|
CXjl]F
H>w 6Y!(
W-VM4E
3b9?M)J{
[\Bhx,
)Rqnu+j
e/luB
Rw2q47-
k&EP_G
:I8.sX
k-$T.L
zY%MOz@
*tLawMj
G}5mu>fJW
#M:C%n
{Dut7#
?SkvJb
lW.{3|
:(9fMi
o4po;RE
eTot!n
eDpN=v
pwnwT9P
n*+W7C
bQ$[&{
>JweYIM:
?}C[%V
mlA7aj
WM1?@xo
@l}]h3lS
73E2F<
6'$F-/
,5O9"
/wvj7BK
{Fk]@n
'?>6!<
7jiG(F0
!cyRV7
,(\}eE%
8[a^`$
pN$rPB
Mx>BO*
2{6D^&
8dem02
:V=R*Z
2`]DsoG
.q!Afj>W
PBilV0J{
|Az#w&
]C!n'"Jt
:ovSbL
A@Y^H)
/y"~eSc
*XhV_R
?h r@`
^:r`RQ
g,j=}I
}mUtLM
E\)^xj>'x
5{<,#Nk
<q2g1v{
7&}47/
bA+hx`
cc2@GS
W2Jy0TjK
Z" GU4
}9b4Dy
$Ao/3}
QJTX2&
z$!4$MT
Rl*g;S
^\t]k/
tZ$CrJ
x9c?DAxl
cDCP9s
S&/`^i
J.^p?B
;k<"5`
zA2}e
#xw}HL
tcD~![&;
Z ]#"y
XhauBw
NEK2G;-)
%4z9Xl?o|<6X;
D9(^oT
UMhevX
6{<aM/
Oh|HCkq{
e`{end'
'd11eDo
NLh<nY
(;``o]
Z|Q72A
"5\zu]
,K~S"7
,%Xin>
$8y{pQ
%MYW:F
PZJO@5{
>le6.C
Sox2. Y
FD(8mT
Bv,;OWw+vE
xbw\zyX
ZM9AhB
e=O0Pp}
!-e~4L
,SBSaO
H%a3<Hv?
"T/N{
3Y/O A=
[ -+c04
q%^^;Z8>
5TV,#G{H
CSg0qu
Uh-.N'
~(3?uc
zsDU~e
B|{@3r(
QPF8d
1HEM|u
;S=$L
bsPUBl
VfBBTacm
f{`2"U
lr6SqC3
}M^#.IA
X8wfK&g
`7ux~!
A@8j~uc
fed;`y
opv6y5
o%A{yi
0!:}kH
RPWz]%
MO|Y5
f2nB61
pS,ue`
?MS^9;L
'9dRy6
:5W!Hf
L-K96}1
}eT>n<
Sx#:i\
d.kO<bo
RV$;CDQ
Tid`x
(=K9YnY
Pfk,2#
KEE14m
N&!yN
Zm~]:y
{.^F+bf2/MC#I
Y=nu&vy
qJIQ%M
XPby;L3
AI)6gw
rV6e"@
?)6KS)
0xzUZi
D2>|K=
Em,P'%3In
<&>s^Z
%+ GoJo
lA'QMBQ
6zw'8P.c*h
^gY\~H
v'^rN+
<?F$F!+
n0P^<W
h1X;+n/
\zrqS_
M1gwP"
Nr6#[+
c<e|,"
.|FGYV/
<'E/4$\
xpHRA0
f2m{e0
jBbK%E_1
si6qO^
E(`y3//f
a&4IoB
956b/i
iY#dza*
l$5jK,K{
fQ@MSH
#a!W_c'/
QOMocB
hdg<X@
wU&Z!>
!BU1dE<
\P!>4b<
Hn8sYJf
F}1:_O
{Vn?nz
(\Y0:r<
\3ZoLX
{Ksrdzf
>sA;Y
Uh(p=D
s4&(AR
'KZQz(
[q#MP3.X
d1~_3p
a-$FuU
E1ng)qa
!I,"Mb
``xOs)
V(waTg%`^
,-"H#AlZ
YoIBuY
zsPj.-
XD>~Y,
1%5zQ r
.v(Wzu
kCi84_
!\%h2\`Sgv
N?\RC-f
N1\f35
:8'Ffk
vA,:;7|
m\I@dU
2JQSLL
{w:]<u
4Xq7A[Y
>d:`%#
Diad<&
FB;jOu
)K-$C3b
e;#pgb
GN+=ZXS
C;y"*f
8{daqL'
JB(O-=(1s
P\&gaA
lg#1B9
'.U\Z/
F]/CYpXC
<8cfG;
%lG[`j
?`^\EfJl
g6Grff
K2]^xa4
in{V&b
S)56G%[
G0a9h#;<
}-F2y1
zL+$[-
6g6ruW
}kMb?/
0p'3{p
V_]-d0&;
J.{!2'-
1#0tQn
C6pc.ql8g@S
=W7uJ
5,q&@H
=\%3-;
D(Z`|t
V QC/6C5
cT!B$^
Ngt,r/
wq<?!R
2FYG:iR
In9}z
;!KW#O
_KlQFF
dp'Kv8
KW?0eF
JfVflX
telk[;
;OW%r$4`d
G'ym]%
"cmL3!
2hscs)8
{*TLX=
J~V@D^
3;(c`G
9d1Xh7
3G2#6C
JyZ7#x
jXd(T7
9Z\e2e
(?C$H<
(N7lK
d;,zKC
IKahc3
@v@*,.['
I>k$:VN'
2Syu71C
DlXLB)
gU41,[
5U[+0
)L4NtU
A?0f#*
sdor]s
LI5$|I
Z>n eae
N_wO?q
-2=72naQ
p^Xl/]
39LS-*
Y}"F/-
nF|[x?"
[e(}nh
uYRS]kK
1Cy7Um
{grh,D
IPg:ek
LL_ l#
Foc|!0
';KqG@
`tbQ;bf
Pa`-x}
7)Z@j
~Tes?Z
S|hjm$R
[oryRy
2}o;+u
lw||Wwg
d-76ZX
AqKj_~
ej%Wy0
gXieY^
Y}UEEc
GUx'*#sn>
vi{E_>
~rF|yaS
3ZL`+4
V~g"`F<
0Om4-i
^;^]"1KI
rnohQM
\Z;t[N5s
F~s3\5
5-luQ
5!r.S'
<)W(M=
dam*U
c0R2t&
_BMu4N
NOHg_e2+
&)ynyp
XBOW=
/}ypqc
^x<m4Jt^
T*L=J
n;2W<R
:#WsZl
f33[:RU
RA)#[9
;n>l;O
+8Gy=}
t.Xk`
?{%m'
}ECpQ^_Kn
Q"I4X?
a86zn{j
l@_g1s>
[i46qv
:Kh9I{
qb i}G!
wVlN,<
6XN^'&g
d@\x\8w
SrWml%
p=p-mh
]-[LOM
X(*Cg,
F(2<(c
M$L>Wh
Aw_x{:
/` +4$
/~A3P+
p,jPw2
8^5tVjAP
9vR^$A
pBbPm=
n`3~:P{
02,/V9}
>*]!0]
/aZdr?6
PH1ym1hB
H6+ nd?
M-trcn
YRAg}6]
,7y|7
=[TI>Ne
HW`b4Y@~
+zTLx,i
1`iQTx4eEr
$&>BC`
IIJKyL
M=~eiN
}0`vNWL
X,5ST__
qMx75#
5)Yi3gWt
Y0l503?
Y9">+t
)nksmfP{
4p:*zU
1nVVKr
J4e<u+
fVe r
,x$V'2
1px*HO;
4gl ok
wlQ7K{
z2#D3q
)Q(^7Ts
{,P#%8$k=
5dr'q
U)brO5
ki^u>NZ"
x0u.',;{
'fhk#k
3'e}:e
D/#nPA>
NE`w_I)
7! :&p
a[yTH_j
fyTO=mt
_dW^
+_N,]"
El"xlL[Vp
vnioI3`V
U`(;4#UkE
=v?0a`
cghj5
2HgT&5B
_0WQB]R
reC BX
cwuZho
/[w*2[
.yGJk=
ftI/L~
`(nH~N4
)n;zld
Xt]JF+
?QYE?Vk!J8Z
K8=,'
Cet|8b
hh,wm]#w
CzP![|
,:&,gLW
~G<K&}q
m'3VAoL
,9=tk_[
:"qC4c
_XydsC
29=)lb
XCB#MR
cnK@xA,
KP.D8.
&X=:}n
V62]*W
#'+n:
w#}cK_
+p{4F"
e`4(fG
~kSO}
vyMaK3
4P:ba#
^9EQ-AP
?$l+:bC
}5?g8]
4],+?.
7gsC.2^
<o2PRd)
@C~BF&
r{Lg.k
2bF?nT
H&(+mDH
jF lv1{*}
UkPzcM
d>-rWE
>cn#ND&s
8CH&,)
~M)9l"p
/7KRD8
e0wKZU
`hs}3C
&rA`'tL#
%!\SzB14
X;^wSjIg
}Dq|~}
$7]p)za?
&nR}&p
!QZ.j:p
GSp.4:
sDXW{R
uOGR&2
|{`~')
axZ.k7IHM+
KPY|>y%@
YU@S{$
.D)p"?
cWJB/
V4UY[y
yQQ1SN
Jh'PjZ
q6L}oE|?
(i7c9_B
#fc.3E
3i~i?N
K$VtY)u
Wc&4-!u%1
iCIV9N
@((e1#
)3,~,9&
&zoR$C
rT`wL%
{Mk*tG
-_v^>v
{5aq%3
-*==Ty
Gt0Q#"
4KhYA|
W*?@R]
&CMu^
9/pRwd:.@y
5dS;r6
Q8Y+ij
<:Z@K~
oUyg[O
]9ul[Zv
t9(+_kN
vCA%O`
~Vm)2Ug
m}h,>[m
cW*&gR
*u+&pD
!P /*e
$jGzoh
n!VFC#
Rv% #D3
]C|6Kr"
{=N.qi
v<e\+Yxj
-Mybqxa
=_[(.L
I|A`n.
. kD37P
cMg!*Y\ql&
%/D\QL?
HZmy2D
;>hxE^
yM'3K=(
)hz2i:
_O0p@l/3R
p<@oBU
lQV/]xF
o_N2zM
O2JG,.
K56fyz
=o}q!5
kPW;Dv
2vm2>3\
M{+C@;kG!
cJXV<9.
K:*ni$O:
3ac5<$
WP<S j
L5\orkl
2];i-T
4J#TxD
TotLkm?>
Y-_6aH,*^o
BUO$kg
`y,g*q
[Z :af`
9^7 m4
vSv<NP
"R>gH{
J5%lFQ
d~)?`d
]l<oxx
>1T\iu(
<mcz%+
zf9(_t
A!oKj;
<*CNl4
/"}G ,
Q|[?8}tt
Qcg<Vs^
w%9J_y
Hk1&c.&-+
]](sIJc
Z5B*O0^
_VDtFl+
up"hlv
$H<aB
O!q@9aP
iNY}?Aw
5+OmPaPV
YxbUa0
&)lq4m
JBkC[r
Z+.L}rW
u8F;_G
o?iMIS
1Zg"lc
Xr%Pn(y
}!0NT
oD`/Ui
R>+NEH
v%qDVBu
x.|{wtT
C5a9|f
N`vBe-hui
2749wr
Io;sZA
NYI;"z
/}{V][
W5D7xr
uU;g1_
h)OAL*"
MDhtt5
bL[U7y
eg3#g=
N4W.kNCc[
J_q,jm
<e|Xe
m5{d>Dl
}Ao^%!
53dISFQ>
Gy5)6!
.R`,QN
?_!}s7J[
ageV@`
GpOm:>
%4mTF)0{
FDF\ bk
/aVd2*
j]`CFY{X
gd]~Ok
p]\.7x
?Ewq;AF
gzhfts]
ur3chY
wN~TE5L
%VU)bp
qzLa*9w
cPIGdC
x_=u4
u8-ZKfd
qx2S6l
"@-?Y{
b;pNvK
R"Ca2)!l
a}&OMv
^LxM5V
a,*3%~z
Z2E91(
y?i{37
r)+]7Bd
p3F%Z[0=2(
^"rssW%]P
PI5}Dg\ojxSfP*
X32W[b
2hUOVu
\"!~!O
TQy"/iK
Sd(?I6
wu:W-J
)<L|[\q
pzo)L6k
GhhBc|
be\R+T
wk}4/_
V}iWNLr
/d<k[*
o'C.#1
%PNEMd
o I &XZ
;|+h|z
I&!v(
^;$tml
1 P8pW
3k.!X~ nA
n!y|.Z
r^~1CLfw
r.9[nj[
H..B*"
iV7nTE
m0?Jlh
LV9N:<
lI$my}
s&-c3+
a[k\6
Pf{*o
;NK1/1
+p#WB]
r7D:d9
{jgM"[
]`eaE#3
VQtE#;
P?>>*G
^h;c_xI
]7#`6Q
-'Q+k
4Q*"Xf
a+_/(^
v+fZ^X
ZO*kP5Y
'aLtJm
DLpC1i
7Wa'b[P4*
i\3!*l
pz@&XN
l':zyezj
uJn6^A
pbye!f:^%YH
C,=ECJ|
adQu{m
8.%-AR
N>gKEE
Sn?/X;9]_
T3hV2#
SaZ%jD
0g(B:7bS
B@3S1/[N
m:nyi)
mA;4A43k4
&x`jiOp
mcRNBon
V{*u/i\Z6
2S[uW)
j$/.Fgn
5r&F"f
s5z^@K
hSB7DT
7;?9Xv9
5|olGx
CWmroM
~fu/\b
X)7Pp\
(OsPK2?
4wNH(}
vDP,-X/
+Ap@j)
qO)L^F
|~8ov2
TO9nF/
5*7'p
JLl0XLHZ
o$@GbL
[QfWM,E
%M,7`k
~g"afT
}$2d=@?
9wjA%G
>EQQpQF
V^Zjy+
sCMDIj
xd|lPW
)z#Mxv
,:@OJgZ
^dlP'J9s
"]qUt`
zv5}SV}J
%;5bn%
\TdEW!Cm~S
Iz~4Y2
3^k!K[mq
!xTH/#
Uua&k8
uwE{tS#
^}js.qZ
X!a(r5
>r"I^z%
T(uo#1
tA]U^$
s^HjM)
'Kx-Qf
:X)WE`rm
l"e(7=
1idY(>+
RCuENY
(\z=tg
Jt78G_
~{%~daMd]
GXJ;"E5=
yQ^8<CV
Jw0@J =
BPkm$(
RU-MmD
Pa*nI0
wP('%O
`1omyYq
{1A!@z
SMrfj^I
Mhc)5}
N`TacF_
ZyMF5s
CD(Jou
Z~)a,7
]<8WI m
F+~{w}
jkUYgU
rXbnSj
|?1t=8
_,n[(q
i,CK$<|E
1]m$iK
\C`'r^\
f}On]*
xEH9/4
N2s\h?^
fu7h -
FD&le"
}m*7<@
!v} ;J
gXE$$aE/
ny;Mgw
zj)ivF
5E%(9;
t)\hw8
*l`eJe
/2*O!!G
*MO}YH
s)-q4V
+)%Y]v6_
a<`0G2
nq? 1,7
w8K06`
,?c6n=n
Ad>IT2=
Bu[\3S
[z.#&[Y
)"l4VU
ju@1VED
HU^t"(
$x&DW
|;B}7
?35P+*
{Bg*9ezOK
?@1O\g
%XLzY*
f1DfF~
SAM#)t&4(|
W]p80r1
9%!"M6
5gK|pm
Mwe%&/
0T'GI@
q#=E%v
(k8QKX
+#0o3I8t}
wp:J,{
-5+`L3
R<!U+`
!(bitv5P
/F5=0X
C=S\T1
f}Gw.^
DW_8)o
W\zibrb%
_:eO3a
5 V~=9
(*t*wWc
&y bN|
/k`@:R
o)yYbR
A)mKMm
T.A1"NM6
[LCM?\
d5q@C'
RZx0~$
6R9D[J
/)ZWn0T
c7F)Ex
LP<l7>
ysx`x-
m"7^Xq
lDxnD"
ewV9L|+!QVu\
n1,FkT6R
9;<u-8H
k,]T@S
'EC(*.
46KLo~
#,~?ey
1^VpF>
>)COIV
:21RUg
e%$PuJSdx
(4yZ9 WL
`fTrvk
]p6+Q?
zasT?'K
QQ^~p1
]JVC(*
rt0`i"
dss(w=
K^+%`<
~jAfUO
{2,vwR
4qoV.:F
cOc$F]Q
!VaSO8
mt].;2.S
ba\hkR0
N;+k +m
O"'Ir%
APQ_=;.
LgHfA$IV7
3ZtE>.
IY:H}
aZvEf,
[6IdiI
nOD6w8
b5X40~
7\rCL/=
Yw6||nMfZ
rtf,}t
kVc9*/
2l;.Y&y
8hC2n-E
H_2tU5
@KBV;7
kK)M1*
F!IP.0
h53z5U
n70]1.%O!
<G-}%Ot E
[7B~,O
C~;KCO5
qNgg{h`t
h0N*;67<X
^x!Pf`
kb6MSh
)6l|'AU
!m=L-#
PrQ]Pa
X$5wSm
%U.z44
VAR5Q/^
O/D'"`
S+k7sg!,
A,S=_k
m|7Wrow
-C&G0r
U4N.=:
=MS]V`
,]QAn6Y
||p>tT8
=ZyR7&@
*w[u'
;C!M|"
}]mJf5
?yqBxd
t]P&(*U
*BMcgM
U_NQ'F
*VY0!,
~m;]'.
"l5U2`
n:sR<`L8
V6,xXF
1;q Io
-G^Q_b
wk#/pB
jD{}bha=]
wiL0=F
F5l><l
}y*4Et9
>2p|XX+A
@/.sp&
eephtwe
]g<WkHa
kq`:BA/
x)G;-/
ZcfcG.J<
rw\Ti^
-qFE%x
aOs8v8z
}]3?PZB
.:t&5
Q]wNl0;
_a3'XX
HmZp+ Y
R$ulTQ
Ox5,4.A
{$YX^7j@mF
SLGc\3
^wunRP
JBMu>o
o'MqV;Q
j0D!@*
7wv<0[
}jVp.>
;.~MR]Vf
j~D-3^
S0H%}_
!>kjWm?E
F@yHHV
[b4jJP
@dBr\q+
r|F5_0G
T#s{8#
x?<[B/
tJize#k
_Gd \j
#4)o-[
Us>aF
?D|9~S
cJQTz:
W0|Un}
MJQW8Ri
Nkb@.{
MUjK2k
g-*mG2K
p2[5KD
t 1(zIu
isr8m
pyS'WT
|)|Nye
*G14nM
&|rEFZc
IjM{Oj
,yJ'W
|@+.*wr
6QH0\A
(zh0"I
[Q}z{J
Aoj~93
ZD:_?O
h3^lz~
pp9q#r
?BGieR
YbE-Wb
Eh:w2v
pRv[,"ya
lc7hb[
Y?zf\Ip;
cDmhCj
umVxX^,
Q9{r]K
)l&7X
~~xtwC
n'Iy?q
S%!-k;l.4
Tcr~ ~
p;ym <!y
a1QYy4D
I]P%THCt
M4::Dk
r!:$/D
pcJ#>(
Je9*+t
s=S2G+<
jXGP@BDL
/idQ$>
D\]wxGV
>BgDl6
L}'&Gk
!)S56
xcRj<>
yE2umBg.
[^q>i+
w[Cd(s'
GL0_PS_Y
NCWKEs
&9&KHC
;4<G-l
"l"2E3}
Gaq=~`
[;O+vvR\u
*''Bd(Z
TaB?%]8
CW`}v$
f)A}R+
9sZ~L\(
?hX;v6
N|*m^ 9o^
fAQC5^
uv9(a"
2Es-=J
Y:rtsi`
6zP%$$
g))RI<Q
"{WCMF
,wxoQ!
_wceZc
TN<Al\
kZtiv=k@
mJe0WG
z9FC6i
{ ";+?
sI"r;$~
P}lDw#
S_"$vHiK
]^I?tP
xX\ik2~_
Kdq$?~w6
rQu\q
]}3W'z
wcr+>:
vv(S9@
+!~JUM
|!!4Hy
k>JG)~
`VV+ 3`
leShWP
*p`GCK
v&Q$PQ
(64P 
&:[=^EQC
}DS]Rv
*hqD;^uCy
xq8$go
Ib2OR0
3GZ&HH
FPvQg_OaA
tJ%xmo<@v
qLi*\"
3}*[iu`~
'uj]bD>
UR]NY6oOfDQr
*pT o=B
oSYMeV&
5L_mwP
$,Oc!`
E,`E[B
&ida/7
[`i*v#
O{yihX
o.qj!]zG,u
LUPV(W
GKnFG+6
V`q+GF
Db:<n)
'#ma./&h
T(u'"u
%1=720?
KBiT]G
k(k=NWT
?g46,!
x'sf<E&=r
8~Z*,N
e:UsK7
a\)WTl7&)
*#za<jJ
,{pQlG
_\&Wom$QM
]2HM`m
7[]^{.I
r (9t~
^E(KXoA#
at:TW(
k5MjF3
8}{'J)
=vu g{8{
iu}&W@
M>Ju&S
;BZLgJeF
N?e_Ahevs&
5q.eA7m
[VDVDW
X'evt^
2p5Nl.
]_=6Bs
0Y:^`D:WRYG#
C=1kV1
n-Vf Ot
R"BLyj
2 FcC}
GN'.:G
9W+0*@
)Gjucb2[
7=~>\*
"a~b&Z
hGW2zS\^
nJbS Qv
^b]g2H
>k~>&l
P1T`*X
-]W6"Sy
70fvS|*3C
YT'%t/
o=+E{
6k*I\W
4"p8~C
=vN Pe
BroWTw
cYI0Fz
$;E9yT
@HgA;/
GEnq>g
GShY-,
Ezcw0|
id+Sy5Q
Zz6)~
vwv@@w
0g1=13
62[bN-
nkj^}q-
_tw (1
7sm8rF
|?qh<R
Vv+f!j
acMh"A
Tq1F*!r{v
$Y" 8/
jpxCgy
C[{0g*
OGz`F(
Rd,Y,>m
f.WJn{.P
P3VJk
wM|)&)
=PlKfv
QM!/fs;
rtoX4SNo
LEJ!Af
>/tO[h
2?lc!q
IP8'2f
CZcA[nQ
B[2a7f
+cWq#pv
u~GeRu
9Dv +[
(PN0pM
WBJyJOD
p4;eU{q
WNo)E@Zc
C8%L9|
#s!Aee
=t.h}h$
t2V]UP
/(/uJP
#MDQmg
A,XAehZ
M{@{JW
l#z}@'
*W2aeT?(
^-o#S%
^h:[beK
@3`<@t
4Kl`,Y
]%y]nn
#svmLo\N
{6i{T$F
5][V9I
56({=Q
nl/!wiD?F =i
xAsFl]K=
~J-<14
Y_Wdbe
#\HC9l
&'9N7d0
fY6& IZ%
G-k!'p
%Vc sy
xz[gt~
>)0(1~Y
acBG-
>`:-h
y5Yq6.
1z -X.
75&SuJ
uO+/X{
e[A<6L
o!T,|
]C*a`~
H*RQ(\tE
.'LFbz
W*AZ+t
z,r9gK
^v`rN*
;KMgXI
\J.^A1
=;/-$AC
XA9>Vh'Z
o+,nL
7@aHr)
=&iR``
QN32+1.g
+BxPwY?-Q
I%D*!(j
v?k3^h
&z/&ik'
x2f6fG
X^t ue
#lE7# C
a;F'|*lE
NDs1;D
`bi0;J
YrXYjb
@#[k}1
w~od$CS
3|R'81
-Lrb/;
/2(BnE
Vx<L56
gT_C"y
c^&3'"l
"n D?%GWH
R479J@
=Bry~"
h1Ipqg
}H/reLb
9TkSFa
V!6#ZF
-|5Gvt
yd$Nqz
\'b&tx
L!vsx#0
;`ht^\
~a[[9L
/Dg{%_Y`
s"Fp!U
cZ2P=;~
V=D*Bm
1m3<_
M&){<\q
e3?'E2fx
VYo-knA
X:oZ1j
S[sxQ9m
Mv!C*5
a{vmU6
qK`FD^o$
cA"7&kf0
P(s!z(
<lS? i#
AGPKJn
}~shEZ
^Pf>De
/~Vqz\
~FBN!S
b^"-/^oM
*sA&=4
=VGr8m
a35+oB
pQA}rQ#
\8wY (
K" 0C%
m%\Jnl
LS[zJia
F?'prs
ej(cd!
R9^z|)Z
MfC;26
|n<Iykb
r{&`o~/OM
SJS+R$
3|U?7
#43~W
Q3e+7d9#k
/5?pCug
R<:sAceQjd
-a(c9_
x8/6YGA
B^&OF*
xAUH"P
IvT/V4
DBZ,%4l
)M3Z<b.
7ja_vy.
"AmEArb
pK>I=scws
[k]kF<D#
l1"w*m
UrIND
WR%`tWH
9QTV}[O3m
-t[,WNI3
'Wt\N$
!o2[b>
aKi9TCY
@R;,[
QlbWAi
b%hFTCA
[Et%J6!
{Xv9.]
mR<&Jb
y$Iifm[
5H*m=,.X
PZreAi3
\_~^(C
3P\Lm3
-:nqLC
BkNYd<Z
x3WyU}
7d;gY%:
|ZCetQA
;XeS.8
:lHp+F
(S45S~
P~S; u
^|dPvT<
9}?N/r
yYUPSX.o
g4))g&
$9"A^HX
MZh"7"
dS{-H_!
&jz0,_
^N:a(!
vXSJWq
qrU|E?
y^R9m,
KyZ[HNg
W ~:p7
-TlUlc
s_]o(?V*T
B,~.K0<Q
%r0 :h
5B'?|S#
%^:OC::u
XC,(EH
e[*l6bCJ
nH3-5o
QDU;F/k
O@A+#@m+%#
j%u93m
-JHTUs
=]s[5F
:gDENp
%e_kH&
J(g@fY
1'RjbGTT6
=74iVtq"Un
gwiVeP
=mb!4&
dmVyz5]%*x
^LO3#T
s,v_5
XeoFh}
5hISHi
]?g0 0
TT:me[*
J~F5/X
#&TFh'
R%:&oq
W%N8R9*
vSN|F5
v qX|4
%7,Ajd
aF`fQa
`CF5~"[Q
YOCleq
P'/Re~
ETUR!+F
TKDv>Tb
7Kp<DY
Rx\o=$)
fJVgT=
'm='`5A
EcM&Eo&vBwN
odwYeQM
3k2085i.-_Jw8:
mkOW(,l
CSM/>(\
~O(Exqt
Y(LieEm
U(10@RS;
z,rb7u
lbCee
e,~OLHe
k5IYQ#
V-S($z
~`_H%3
Vb{5["
XacZ"s
,ql;O|
1+mc~y
ycyB="
."?>nZ
]g3=nq
&=/U7Zd
?>^M.C
<$8,?"
}>k]jb#
.$OF%>
?X1a87
\:]~I@t
kN^95m
Rgh`c
N]q$'d
"_q9Ei?
C#U==T
9{p34<TI)n4P%
1cRu&c
SgH"T^
MBO1w-uV
#bG\TC6h
-1v2D9
[.s+K m
(,,YUl`
DDJC/ J
[CW8T1
lRS$xe\`T
SgSsfS
ll9_h"
jn]~4"_d
,*q3cb?G^
&|R?l,D
GL#q ~M
uOk=Y8_
rV2S\-
S=r8xE6
s4b1qf
m1a-~<
If\z7+
)|QbX;
8vQq8P
/047>j
>$&ROfp
gI#=392
Sb QM
qDVs@|
jX)qSF
V9!cDjW7
'A`l!3
.Y >dw4\
3=@ 2#{
@?zTPFR
{_sI 2
L'xb]c
ZYt10R
fK?H\dqi
"zC+'2`
Wzj;>f
:q=OOAQ
'YW7^$
gwc}C|~c
,5^dN24
GyKIk6c
qDs##/
qkndwK
+:{Q#e4
1.? +&_
T(xy-}
rL{pCE
CUEl*E
LqtHpe
s3(QCrtn
,HFL)Ny
e?<F4wY
H`vnpm
ruD~5X
HiM%UH
~^s4*Em
N?O!F>z
kBe$pr
8}#f3:`
4Ga[yt
X8%\2LS
_>|%Eu
{A,yf#6$I
y_{# S
S]&]:]o
,H+[;He
N\*))$
>QY.@R
sZ-271
^gtyia
%U(h$
,gBUV+
*WJn;X`
{F,IM$
_FoOC/
)Tz2Lo[/
58|hB)76
@[Zkq6
-Yc\1W
}6"^B+
KR 7]r
-*/L=H
~/YEqpb=
]ya4+)x
i9E(R[
2b:!Z!c
2qOlgg
=grR#{
L}\!?E
){*//=
J&3$G:]5
KlQ $y
G$g?s7
#e+bOe5
A_\rZG
O8O*pW
V<,cf!;
Mf`r*W
Wtz})Nj
K+5a$A
B.#&BT2%IS
7B}!]P
X]Y+M\
O4TJ1G^
8CAv%2
[3~#Blo/
+/^*\!
4Yp{9)
'u$=p{
4Q,\Gxg
eNa=r-6c
&F%uS@
I1WO|^
{'4M@
9|)2!o
;~|4"gOm
-`Hwo6
jiGj'f
c,9%Jj
TUPF@>J
]"vTa]p
N`#G)
^-3tVn{#
zT!`T^
1{=onx
Fu&c2H^
cL!,U,
\G1x7([
Xb~9tU
=q W>6=
&AF-oHn9
Tgxe3I-\
Ye<Xpe*B
\^~SGW|h6s
KydzFS<
ZM?^<\
'",bkBN
dHV`uL[
hZp|J:2v
VRf=JM
5nZ#w\+
}zEzQ|
=w&ZEbP
@J ij=
~/+}Nf
y9#W8`?
Xn,Vk
0~~eu!
sXMt!
]g9Aii
:X2m"G
F]<DQM<
<WW[QiL
LD'HnR
o4'oqd
H%{U*&
rqaY.cC>
&_7V~_
1:)r#-v
SPqBJG
cuC)_l=
}R1fTU
=PiBqJE
Ld'zc1>8>fd%0
n'yH\
poPy&S
9HBDk7:
4Sz"g8
+-"Z!@
8 qOW<TL
f!Q}"E?
YVG8vL
UAmrln
#?|ThUT
*>{?@q
-7okKUYr
|`ASNu
Ie[fs}R
HJ%?hKD
E.tFSH
V0C.5h
WPH~m_
`RAra\q
F^ZMja
,bI(+{
|OyQLo
s#\r;[W
%cCS3`
vowU:f$
&~;vPn)<
`RROb
@hQ0UD)
o@nWtB
\xbqj!O
c:!e#7
KW4V0*
jFIk@X
".,EB1
eVGl$@
MJ+i41
nU=5%nG
]frrQko
-K0SuSJZ"
"PlEC6\
MSTVtT
]"XUW3<`
a.BYPy!
OP@k%P
~$.;rBXM
y4Pc&A
5bwbFq7O
z>1b@H
!*c#gz
o2Vw7b
1(Fi)
h7/Yz^#
&I7k$o
4*$$.
`Bb+hz
Qi)2%
mfESGN%
{=?cg>w4
H'thR
_|D^T1c7
B)j&yBy
"NE3lpO
9w'AeO
Pc5#`gd
4yJ6qr
4Q5Dl@
96UT6>
0^R%`
Elw7wN
(=p60/
OH+75?
/2fIGq
IRwVu
g"X\dYg
>6%6+nr
w3e6Y]
w78RuH
Bql/m,
_gSK[Q
nRCe"N
Hm]rP_p
@Q.n[_
Iv2 /8
&)GF]Y
e $,Kh$
<\1{e&K
z(};4Z
)jz/YS_
=()4l=4
{1SJtKa
bJyZDJM
P<u9L(9!
USSpuOr
u/E5-|
<s^{"U
Wbk!RG
EIe g+P*
N0=O<,
~{.O!TR~
B,IE*[
9tDlH_1
AhQM#h
5HPOL~
$vBdlU
j=g&ui
p0+70W
8q_2p"m|7-
q["XO(
G`)mON
Gm@:kdXu"
A4meB(k]
q|-/'r
c2<;p
b`DU4E
UZOG$kK
WpFn[pr
^E='&?
q3{dSd
&m`;~&F
{GIzu^
p0I$0y}
0ZOl,9&3
zov';[
jju.)"O
Vx[ B_
c^Oho6
QuER:|
0=./ll
jZ`7IPA
kZXQNfZ
F2m8,tEh
LOB2*(
bq=QAmB
crueG<&;?
y#X,USg$
7RZUES
Qe^J/>o
`an3w
jd09C
=uocO;w
\9JE-5z
N?s1``
>HtVgD
CUz=KZ:
t_T4Nw
yZ+CCS
st]h5M
S`K]Q
#j:y%
-'$qV1
'iYM{~
8nxp|8
`[>?1D
0n_|Y4
&64bNd~G[I24
]c*;RqBm
'f(["N?C
6R]jRPV
SO_.L$%
EefhhA
qzAz%z
{` L'c
P89UJa
!ca.n<*
huz:0OJ
A-&LpJ\
F)1=w{I}
5#G6JD
z1}UR
:Z9Uuy,
>`geNaZ0
.\ls:u}X#
CqypJU
PNQj:+
1>HW5^)Lz
B$hwf/
W/`4yL
7cw?HSS
0zo& -P
?#pv9qYf
v8O=:m
VnxY!r
cB,%CW
\C/Sx]
1ZXiS"!8r
(C.Ee"
X3=^J;
MDcnTZ
0f)#)B>
ISM]'kB
f{a;'X
6jK%$"
Z8'1^pK`
nO;{]0
!d`)*M%
s"Ss$6
'"Tm]>
\qem!TL
[=7a)y
E)jXM2"
=cFSa07
u~= u@#
sr5wXBZ
~@r01f-~
6Q9]D<
}c S6z!
HZQDX^
VZm1KG
i0^)t5
>0]*ch
`$PCLrR
l[2!,'
vV_O_s
1{Q1\b
t'nER\
DgBpHu
m,Wpb!
u+$8*~6
+I`}oD}!L
+`z_.J
sx%(WG\\
5Ovd#'ER
{0gx1)
<xZWC0
PN)dFs
_Dd8`af
mj,!Lxk
82Ji)t
w<^XQ-M
8dvR-.a
oNdgU+
BV8!h~
uCOk;x
XQf7L@
\vBl7gT
|VtYV:x
$QBw~
(3VxR5
X<dV$
".;v=at
;3cF=-
IfpEIa1"Y#
4+})$K
L)p%DT
|,as(D
O2=~w6
8:;l9p\kf\v
?[bJbF
R:%YD"
MH\c=V
UV=q:
xo0iqG
\NhV7"
C&wVy9
X1vAJ&
vr2iUR
wO*+dT@T
wSLthHj
N#BIjb
#ua/GG
]HmNt}
]]eg22{
,?A3v+5n.L
O:wR]F-
R#1F&U
FZs ][
)<8-Gj0
(qClxY
.?Bf@r4c/I
E@f#c
izOE+n<g
&'(TrD
,,ouXD
PYRm1.G.Y
e6Vi(9
]joU[H
kRdT5I3
Qv{KD}
G`_'>;3w
z:VHP3V
D;f #x2qL
XaXUTm
gIA)$VV
<nz"N;4
i9?W\e
X<&!-U
f_~usq
wD#dU]
C*hJ'}6Z
jR/.Py
b{Ihoq
wLK:U)
\yuf+^
NV^9T0
9*i-EO
^0Mp]V
@$6Z_a
K#8:7]
q/FZ_6ds
d*~K"}/
/}O;:]
"C=\*ajD
2H3/Rf
0-ko+]
250:B>S
F3DD^n{*
#KTqx!
}(7N,u
oC`T+fv7
k_1psT
VY>"CQ=
hI) PNgp
&*z}Po
=IrvWY
0i*s"A
ZDw.:h
z}YE[|
!lSlKE=`*w
nry)q`
f:rqVG
vqFgs=
TipUhM
`]I^3nR
M3Gj[%@
Xm1|W]9
Lxk1oCZ
v[%#yc
d2QP`g<LG$/
GA2Nqqw
1>.tx3
51lV
G |+k~
R3X(\"
~NqO`f
aN`#Ls
]X8-wZ
^:!(adpXY
Lg"J49
[TBRx4
'wl=sP
n"&xZU
-[_pHD/j
p K\0F:U
5Y.[rd
@A^OfP
o0UsnI
t![2(W
`UfNh?
f#6xJ4
tml9qe8{
y'fRR{jBe
xVJs4#oy=a
.4HD;iG26
muRgKg
[UO]W1
${r|EH<K
:GJbs1
:hoCg^
cli/k1"
`^:`Df
q=>GXjtd
`=[]B(l
pB/#V
1MPxLfe
>OxB"
c1Kxdy
Ra7 ^0
>L/v9q1I
2Is^]J
\UWAWw^
{p e,G
"8y^`}
3Ig\z/
k2":kig
5q)J@f
!-@"-pq
)]NHg=
sr|$^A
H1iOp?
QNz|Mp6]
cG:/5N
:!n]$m
nSrE3)
?&7:dw
n35}JX
+nmqRX31
X\[#&pW
Csw`J0
wXx"OJ
.Cxxl0
?jhueS
CEbC9r
[XoH2I
1sUo&
oritpb
}:0y%`
",e}"K
Jui_{A
p+#p@A
FSzL/Dh
toYXXM
Bn2JPxL
xjcsW"\
PU2yZx
*PE6T~
N>5#M!B}
[Ne&RCM.
$QdVv+
KAOt):
,t vua
G,PXrA
H+R7POOo
%/GUT0
wN|$a6
:1$|o~P
[5+1RX
zQcdqC
?9hvro
P$\"' 9@
ntEO_J
~A4x*2
tv1A+XD
V~1dO5qw
hD;Q2&
t\_J<k
8'?og)
2,n]1\
j=vEWt
zHw}Wp
VZ>A{R,<|^
`965*Q
vpC-vt
8X+[M{
z#.7`'
04`5%A
'j=/i,c
?J?y+dOi@
p!j8gy
wE:'W\\l
=4iq`*
]L4s,\
#h,r;Z
;6_f!4)
ky:o?|3
]oF/3R
._.eG.
B)R?lP&o
8da0r"jzh
$^e_KD
.XJTXz
B!_I|;T
]5|/DY
N`A0LW
v-zYYZ
/BWA8&#
H"zqY
8]r:nk
O@Qpk3/C
qS}<I'e
/Y:<CQ
'FXgz*
j?yK[`
Wm:H_#m_!
RSO3S1w
b].F)~
G#`z]EA
jMB#?REbS-7
V|R"{
UsnJ%Ab
maF RZE
v(=:%s
6:w_n
qQ7vy}X%x
dSNY3^vJg
Y&Hq)!s
t|:t{@r
F3VTt(
}AQ'K_
@PRX$f
(@$poqc
89[ eJz
^bNu!R
7W3~iM
>qv'Gp
h3$k[;
JeN-TB|\
3yk+|-
[OMigf
6lX0+5D
l#A6Ez
gpcI`&h
f\mf"i=
cdEqbZ
|[0Krk
oTXC>/
D=Ox@P
_21cg.\
z/1_k*
$b6y|e
Rov#nH_
na:ir=
zjLt]kd
]vdkd7}
se#h0|
RsVfh:
En.(/<
Mm90`H
yCJ[Au
X\AF<*
jZ3eUOc
L7+]{m
4`V9>a
cL#3H1
"<Y*jZ"
Mw_m$-G
|lYrhjm)
[b~hb*
i1L^}b
<[9j~O
hi7PT-
bI8z9f
o3:l(N
izuEJj
@hO=d%
[a/O{zF
8=KXD#q
T&RT$
a)ZP*J vr
3wd/WW
v!^"/k
NYbW2Y
%I{ ;=({
;Eprbo!
%Kv)U3\
!ihC&v
Ksa~y'h
W"qLR4Fo
o-QNH{1
`>P[W
|g-/\nQ
#KFq$V
,xz~4Cb,
)Wc_mcs7
m+'|k/N
hDj2d$
M\w(>si
)l!THKg
DX@,$
r(gm)IgM
9x6s9A
06t3av
#vn$Rk
{=fz<o
w):qu
TyOxSKQ?>
K'\KYB
N7p=fx
EALfgi
rEN6g1
frs!`7(n
Ti7^ni
'LO0d'
27?gXS
)Tv-Er
< d(/g
j-,Ug
BUP'.!c
K:C^IX(;*C
u37=uW
o|b)Gn
,aT/8
xy}",#
pEoTpa
D.='^s
l!^h=2
?}^ i?"
ZOK\@
s%,*l7
~F3ZH9
lt`px)
5uFX@%f
bZ!R=z^
;Sf/@C
g{>aGl
$c5xmO
F+o/5Y
+xNmM K
FIG7c--
B;7Di(
@MF5ZU
:wr1;NZ
2<<3U0
ag}b(w
O@0@TxF
OSTt#:YQ
3':`7w
_J 5p%Fq
x/22M5
Et0~GR=
<85*|o
0Zmb[
)f?><
K#aCEt+
@2^O;lX
FHf>J$
@x4~P?
O)kk(3
/e*t+r
3:1%p~
p_o</6
NS{/p7
W"m4]T+;7
u5>vi
=7:>'G
jPh"rs`
sc|o>}`
v-8*6e
ukm\t%
:mG>_]
?!v+$f
!zcbmj
:Y|oI$
p!dcs-'4
fc)JAw
s_=3t$
O`jpdsJg8
Ox~C'f
*"9DPQv
cUHJG%
ZfCGgD
8T{WeM
aG0Gm'>:
t$-[<-
%}Is+J
Ey,*OvF<T
|,hl">
0t[H0B-U
?gCvmM(7
Y}gY~^f
~?$s'B
vMV)??
_q@0[RY
W/o4o7#:
dwOt-L
x.S<,O
RGvuIN
b0{?dB
fj!#SY
|bC3&N
Qc)yS{^;
xY1o<E
!*3Fix
I57`i[
kH?\OrP
Kt_m2?^
t:'ZD
upLxF4x
A`tr\h
q|WK0r
MP5i%|
<@'2%9
q"CGpPD
g)K%E~
K 6_Ca~
ow>Ab3
]+@T"Y
w!Z`g|8i+
<gP<'l
Fw46O7
kXS{o9
M-lO9$
W&VEZP
x!gs+Y
([/1[N
*8A(9>F
<[X9B{
OL<9yL
Gq:5PJU
$am=}9
Z<ZU=1
)~se
+l2$@T
v[']d*
i0^7MRse
9DfpcXP
P<##X
QUBMD[
v_g5n=
Wlcxp-
yU(cY
~h'FQ:p
7oj# `
_('=K:
{G:\t2'z
_n8$/9
PZ}VzlE
?IX(`HM
Rb6ip
vfpZ&v
Qjg}O=3
Pk.[%
@TJc(x<u
6-L)OJ<'5
)OT_9q
a9Y6{R
EqMT!q
,r@xt
\~$Su>
6Z5paw
3YqV)$6#R
sYNm)p
S^>K~s
)USX&t
a 5%DE
<$-Hb`
KE;(ClK
0Vrqv
vsp55#V[
m?n/+m
!,bpaH
6e~]Fl6j
w3cpVI
|Cv3h-
{-deII
]W9m:z
h3WeuG
CN=@<(
6RuVD9
}!Y4agd
d:`0,Gs_
2AQM
a^F(p:
yL2vW1
i#Tr[3`
>q+0/Z
eR0sh>
q<rJ1b
q&nS^t
I7J*g,
x3>Tl3
VVRaSS
Gzlj+^Z
+Hg@2V
J0a!ejY
*i0P g2
Y$I({J
MJ<}D?
Qe>&S+0*
z$X("i
xUOLZ4
R6# 9u9
`{<~Cmb
`9cfE0ES
hwr\:w
Rilu6^
o)\$0w
xo>RG{
6hb>u0
+[MW%/
}38q4rFy
)"IyZl*
\V5&"9
eis[zx
9wxWCwW
X.qdo\<J.
/^j*m$
%2Jkmi
M*[ :g
i1"21S~C/m
flB|uOD_
(tV[3b
`=]"$}
xRGbLL
K87O\#
tAPASL eg
XS5j0u
,#s7OT$
[bv#>_
tJ:g_|
qH7esO
[V1p=~
(HDE|6
`Uniy)>
p~d>4Z
H%rSxy
/E8,wt<
BWpwN~r
Vb+74g
#oNj-l
~?.Eb^
NQ:iUS
+~r;<)a
qp>`tz
6#7ilw6
+:<*dA>
An8l}@
3Bj/^@
>H)1d}
0C&cY-
vtdcPn
fJ$z%L
N%c/hX
<|y(i
J[<E*S
{;xE,?
iHHU1ds
h_-Fk)^
Bkc>o/(
Jo+_(
cR)H3Vx
:WQT\J
c4saJ"3|
qOB[Az
,+4Tf
5/-_`!
-d&~jR\
S6X{uW^
krg@eD
q5+9)K?y
p1|2=pk
21r/f*
[y/xdb
1EQALg
&ph7R)~
j*$:pQ
`<yZbn
sL)6t8
P+R'>uca
@-"({{
D[6]gG4=
0IMmp;
f_Boj~
uBNIgx
T^+F}Y
f"+,c(
JaBj$D
@vb+\8
IE1@J8
rRvQY}
E%cX|@
hd~;>EJ
*WtdBk
IhAB%K
G9*RZ*
k/u%TPk
z{K\*K0Y
-Y?P6^hjtxc
hkz}Pr
9-PgDRp
Dm$mB,
<i@H!qF
U~dZ#u
z`[7=!f
}FAO2Gd
Rp?y9h
c3z,?)
<xlD?vw
C|HdEn
bugE)N
=3*v(;
\!}y:C{
!Y!l3KH]w
D7F-&O
s#}Kb'
(?a$+Qy
eb{#nX|
Z*fk{L\
`jlNhRr
L_1(}!
rAg0%,
Wg|H&2
\a?eRJ
$uA$J2
::eLP03o@
$pu~B@_1
z{?~6G
(Fq{o8
f$p4iU[
a}c@0+
JV4B\s="
NGY H.
::&c\i
1|w2bb6m
] E5Yk?
@fBVcPx.E
oXb]0:
u}{F(
uL.S"[
:o/rL*
'6-uj{
ksoE{q
')B#QdG
,rfr-+'
SSk4C.k~
@%F#k
1<Yn9P
4F_EkK
H+[)zT
>,;\(-
#u]0+}
5p*k2k
87twb-z
VPno42
7bL;[-
Xxdk%INFG
U.Vj-T
!BRQmQ~
|x{.6o[+etZ
0reqPBvvR
m2Y"99(
q["Vn=
6[\g%
\O wCX
n!yGKs,
M*pyC$
?oe(x?
u{vWP$@
r5(E,C0p
t8j,v$1
F[Ya"w
yo#T "
Or6(pd.
&gaB2VIk
,,_<*q
);@7Q]s
lpW|1Q:
W]uQ3O11t
P36^]X
t$oEGN
Y.ji8%
&fXZPu,-
0Q%B)#
@BA/ah
USmZAO((
RKPw&-
9++FdL
))&P5}
Do}:@x;
>8b>}65\NTq
f&0Urk
"?j_6D[X
HIJ MQ
ciN`5m
SP7jaQB
mu>z{L:
LrK=gW
tdSaY7
9.X0Eq
[^@Zb=p
P):2Zx
Vt1uux
qGQxz,
AMws8GIw
`UvP&}
`'1MF
9<?n~
o;*X']
\*F(-6
(ivg}v
52pH*V
/#Fy-X
ECDp5
$ ,6ctM
sm|K=J
6h)6[
<#vrv>
p'*zJG
"d2x+#
V_9[,?
<<'kR`
d.(J(D
CV%qE?
hq1K9fA
MZME n
MF jH\X
nnX6x0p E{
{y'0|3
+H7+tT
L2%WBq
8YyTlB
,}ep-~
_whJEh
.3qR@Y
`:#qVvt
~j=]re
UnQ:l>
bVrLS)
v3,Gy,
f}at/[
|U h,$
5aOR8E
"^g 2H
6n>\N/
q)wbXR_
K2*Mk.?
+DER#ig
V#,pP\
]WOTU/
Western Cape1
Durbanville1
Thawte1
Thawte Certification10
Thawte Timestamping CA0
121221000000Z
201230235959Z0^1
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
http://ocsp.thawte.com0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
TimeStamp-2048-10
AddTrust AB1&0$
AddTrust External TTP Network1"0
AddTrust External CA Root0
050607080910Z
200530104838Z0
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object0
3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
http://ocsp.usertrust.com0
9f*<Z,m
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
121018000000Z
201229235959Z0b1
Symantec Corporation1402
+Symantec Time Stamping Services Signer - G40
http://ts-ocsp.ws.symantec.com07
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
TimeStamp-2048-20
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object0
110824000000Z
200530104838Z0{1
Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 20
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
http://ocsp.usertrust.com0
Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 20
130215000000Z
140215235959Z0
100091
New York1
PO Box 2271
Rare Ideas, LLC1
Rare Ideas, LLC0
https://secure.comodo.net/CPS0A
0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
http://ocsp.comodoca.com0
@g <~^
Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 2
Symantec Corporation100.
'Symantec Time Stamping Services CA - G2
130703203609Z0#
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0x%08x"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not initialize OLE
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
HideWindow
Pop: stack empty
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: error, user cancel
File: skipped: "%s" (overwriteflag=%d)
File: error, user abort
File: error, user retry
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes failed.
SetFileAttributes: "%s":%08X
BringToFront
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
~nsu.tmp
NSIS Error
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
%02x%c
Unknown
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
GetTTFNameString
Version
/ P6pL
,/KPip
/-P?pR
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
VS_VERSION_INFO
StringFileInfo
000004b0
Comments
For additional details, visit PortableApps.com
CompanyName
PortableApps.com
FileDescription
WinMTR Portable
FileVersion
0.92.0.2
InternalName
WinMTR Portable
LegalCopyright
PortableApps.com Installer Copyright 2007-2012 PortableApps.com.
LegalTrademarks
PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename
WinMTRPortable_0.92_Rev_2_English.paf.exe
PortableApps.comAppID
WinMTRPortable
PortableApps.comFormatVersion
PortableApps.comInstallerVersion
3.0.6.0
ProductName
WinMTR Portable
ProductVersion
0.92.0.2
VarFileInfo
Translation
<<<Obsolete>>
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
McAfee Clean
Malwarebytes Clean
TheHacker Clean
BitDefender Clean
K7GW Clean
K7AntiVirus Clean
TrendMicro Clean
Baidu Clean
Babable Clean
F-Prot Clean
Symantec Clean
TotalDefense Clean
TrendMicro-HouseCall Clean
Paloalto Clean
ClamAV Clean
Kaspersky Clean
Alibaba Clean
NANO-Antivirus Clean
ViRobot Clean
AegisLab Clean
Tencent Clean
Ad-Aware Clean
Trustlook Clean
Sophos Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
Invincea Clean
McAfee-GW-Edition Clean
Trapmine Clean
Emsisoft Clean
Ikarus Clean
Cyren Clean
Jiangmin Clean
Webroot Clean
Avira Clean
Fortinet Clean
Antiy-AVL Clean
Kingsoft Clean
Endgame Clean
Arcabit Clean
SUPERAntiSpyware Clean
ZoneAlarm Clean
Avast-Mobile Clean
Microsoft Clean
TACHYON Clean
AhnLab-V3 Clean
VBA32 Clean
ALYac Clean
MAX Clean
Cylance Clean
Panda Clean
Zoner Clean
ESET-NOD32 Clean
Rising Clean
Yandex Clean
SentinelOne Clean
eGambit Clean
GData Clean
AVG Clean
Cybereason Clean
Avast Clean
CrowdStrike Clean
Qihoo-360 Clean

Process Tree


WinMTRPortable_0.92_Rev_2_English.paf.exe, PID: 1440, Parent PID: 1312

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name aae0494596475500_help.html
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\help.html
Size 4.5KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type HTML document, ASCII text, with CRLF line terminators
MD5 78f2053a5119f352cb8d258517803d31
SHA1 fc09fcf2b1edb3f2c7dddd4e8232b61e47d96d44
SHA256 aae0494596475500b1b08dd4d4b7727682b97aa8da7537eb181cbc236b719e33
CRC32 F5EBBC4E
ssdeep 96:7bS3LFGkz2/iQWnMn1rt6BxOXmHrZ6jaTzvhcxD:7bOL4biQWnMn1VP
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name eae2b033f0b08229_license.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Source\License.txt
Size 17.9KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type Pascal source, ASCII text, with CRLF line terminators
MD5 dfb340fbcd40576fcc15069591f30a92
SHA1 358f72786c97f5a0c5b1e591230c592c55b4ca13
SHA256 eae2b033f0b0822913c076f36d498e51450c712b3229c1c83c7d12198fa097ee
CRC32 FA343E8A
ssdeep 384:lq2PmwERb6k/iAVX/dUY2ZpEGMOZ77o6LDMj:lzun1iYWrTXo6LDMj
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name a651277675b6aa2f_winmtrportable.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\WinMTRPortable.exe
Size 152.6KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 38e4d05657c27d84fd03e19dc7dc4d5a
SHA1 5d3fdf55480407d7433b581c2fd6139bf2196160
SHA256 a651277675b6aa2f5d12bcf4eae0d2ddfeac76927fc0497de86005874f9d957c
CRC32 87835E6F
ssdeep 3072:JweqOYEUXPn4Hi5zAigWWMYkP1m3nGCV7C6V:uEUXDK1nL6anGCVWO
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 8ac754b981f295ec_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Source\Readme.txt
Size 2.2KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 3fe05586f4960954f4afc98804ec4881
SHA1 0c08abd4c39904ea0b1a8d0de1e0e7f8279736f7
SHA256 8ac754b981f295ec9443049ec652671b0a5979ac9033fdddfbc4088064e29087
CRC32 16356406
ssdeep 48:pofWahjhG4NjHLGQxMTC+F2bpbGTY/ZzywG2lMI:mOahtn9HaQxoCV1GTYZzywG4MI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 0a9a711b205dc87b_modern-wizard.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\modern-wizard.bmp
Size 150.9KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PC bitmap, Windows 3.x format, 164 x 314 x 24
MD5 55204d08cff24975e88885403f13fd59
SHA1 1aad4f3ceb1c8bdd348385228ea3043f1f0b2427
SHA256 0a9a711b205dc87b6b0fe491253bc1ddb4a46a02f26ab622c209b1311125dd20
CRC32 95D95148
ssdeep 1536:BUPy+RPMI0gVQC6AKEbOOukOtYzpz400XveEDSrP1:2Py+RPMcQCDKzuJ
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 04ebf15809eb54a9_winmtrportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\Launcher\WinMTRPortable.ini
Size 233.0B
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 2ab3b84c8475a00432b962a8ec408a99
SHA1 22ffbc07ed24d3c48ecfe4d994ecdd9db272e281
SHA256 04ebf15809eb54a96a3df8995d01309c80420ee0c87cefcfc0c0bdf854849d01
CRC32 69535144
ssdeep 6:MgZXtPMA8+dptDRk3+ZTlcagl5czr0unXro9HqUe8Hng:M8tPewtNk3YW5E061gHg
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 46a1d50a869dc7e2_help_logo_top.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\help_logo_top.png
Size 2.5KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PNG image data, 229 x 47, 8-bit/color RGBA, non-interlaced
MD5 0f024e316973b9d87f3f4c3a1f33c448
SHA1 8ccaf998d7b14731829c0d1104d6fa7a1adc7247
SHA256 46a1d50a869dc7e2c0511cfbc77a15f0092ad9fba0b068736f1e512683a47ee4
CRC32 8F37D7F3
ssdeep 48:NaRbpMYHmHcRu3nh77X9/aoy/b1MUOgmLFu2J:YRbqHSI7TZ/RgSuI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 88c0749cc9ca14cc_help_background_footer.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\help_background_footer.png
Size 168.0B
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PNG image data, 10 x 16, 8-bit/color RGB, non-interlaced
MD5 6af4a82693a403b0d0afde16972466f5
SHA1 1ab8a3d0cf22cde23173b6b41521377c0fdbeea8
SHA256 88c0749cc9ca14ccea1af39dffaccf7b7c35e5b5603b1e451fe7fce508252480
CRC32 8468EBFD
ssdeep 3:yionv//thPlHvtntCZRthwkBDsTBZtv9L//gbxCRQe1e//VHgNqUMwF/2g1p:6v/lhPo/nDspvmb8RQe1IgN1MwFdp
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 7f4e0af36063c587_appicon_32.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appicon_32.png
Size 225.0B
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
MD5 d65e2687fac76c17af32ba852f07def8
SHA1 7931a3312bd5b46ac9256f9051268d7dc5bcc687
SHA256 7f4e0af36063c5874419af7b6c920b88f094a2937801637a7e78950e4857a233
CRC32 A063A072
ssdeep 3:yionv//thPl3xWreQ/NSVJ7G3PtKMWpJGO75l6PxkSeTJgQWLlCz6ivFPCmddk5Z:6v/lhPKScSVJa3IJLp/2MOzfMkVp
Yara None matched
VirusTotal Search for analysis
Name fec2c5cce9511a75_appicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appicon.ico
Size 22.0KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type MS Windows icon resource - 6 icons, 48x48, 256-colors
MD5 b6b13aabdceee399693dbcfa6d3e6a67
SHA1 ac08b91d67ddb311c9ad3337f7a54e6b734fad27
SHA256 fec2c5cce9511a75adbb09854eefb4459021b2bc16d0564be95c0c4188b35f02
CRC32 E2E90DCD
ssdeep 192:0hhYnrtDINynT+vQHUYNYEwwchYnrtDINynT+vM2G7khYnrtDINynT+vKgwwf:GuJHU2RwwquYuFgwwf
Yara None matched
VirusTotal Search for analysis
Name e1c9bdaaf926c7a5_winmtr.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR\WinMTR.exe
Size 1.7MB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 cd2d703e459435a715a6b83c812ae84d
SHA1 64c27a4a7b4af43982c0b118e02f95e06f98eb45
SHA256 e1c9bdaaf926c7a568571e430e868966fe80cb1bfac3742a9c2b6ebb03b71e5f
CRC32 A8926863
ssdeep 49152:BIrxJQnKkOVHpJYQ6dOVD8uVXKFqJNfzAW2dzhTtI1juDOWjTWcjy9:BIcLuHpJcdOVDnCYNfzAW2dz1tIR5GT7
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00055_Alias_PIX_Vivid_IMG_Graphics_format_ - [Alias PIX/Vivid IMG Graphics format]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01006_MASM_TASM___sig4__h__ - [MASM/TASM - sig4 (h)]
  • PEiD_01007_MASM_TASM___sig4__h__ - [MASM/TASM - sig4 (h)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • PEiD_02191_tElock_0_99___1_0_private____tE__ - [tElock 0.99 - 1.0 private -> tE!]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • Check_OutputDebugStringA_iat -
  • anti_dbg - Checks if being debugged
  • network_tcp_socket - Communications over RAW socket
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • win_private_profile - Affect private profile
  • win_files_operation - Affect private profile
  • win_hook - Affect hook table
  • contentis_base64 - This rule finds for base64 strings
  • VC8_Microsoft_Corporation -
  • Microsoft_Visual_Cpp_8 -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_getEIP_method_1 -
  • Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
VirusTotal Search for analysis
Name 7851cb12fa4131f1_System.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\System.dll
Size 11.0KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
CRC32 81CA71BF
ssdeep 192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 58053a49f7c9d07f_appnameportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Source\AppNamePortable.ini
Size 244.0B
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 8634c50b01d5ea4adc0d9eca692cbb5b
SHA1 ce39ebe17200463b7625a07288bae88c688f0ab8
SHA256 58053a49f7c9d07faceb35c298022d31da5b00b8840e611074475b41ceb9b7e9
CRC32 0A3AE46A
ssdeep 6:IQE7Em2VPVJSgBYlyGqMwIjAIMLyJQBABCXh5XMWJk/71NLyJQBAK:It2hrY8fjI8IMee2cXhX28e2K
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 40c28360d3a5813c_appinfo.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appinfo.ini
Size 473.0B
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 5045c1ae372ea398bba0ce62ef79039f
SHA1 704e419c1c347b138446726368e451a9e3703dc9
SHA256 40c28360d3a5813cddff6de8c5eec1abd5853729d2b7be59e86bdba7d68ef84d
CRC32 A90E384E
ssdeep 12:kihr1Z2ufmuot0yhKrwTqZ2WcAUvMrHTL5uLJJVxe:kIv2ueuotvfQk0rn5EDe
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 70acf84ba0796b89_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR\README.TXT
Size 4.5KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5 e9ea7c7bf58e4b6da844814ed3ca2f4e
SHA1 b93fbddfd0ac296630f071fa338c603324417346
SHA256 70acf84ba0796b8912fbbdf9c1a3b4a752606bb68d018f89bb85d9a673af7eec
CRC32 099F7E1D
ssdeep 96:4P5lsJ8OOUa6v7mmh2tJB1RdwpIqNpaKcIkqIFpXhhZG4PBGaIyLcmuAQ43:4PAW2m/DRdspaKcRPNhhJ7ZcmuH43
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 39b921123e9ad292_appicon_128.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appicon_128.png
Size 558.0B
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
MD5 3554a493e37ebf0b33f413c78ba10e00
SHA1 a11f383184ce58748ec1ae52cf7b7f335a547537
SHA256 39b921123e9ad292e14f0fc31a0efcd2baf61c633162242835dc6639e3c0c0ad
CRC32 EE68D014
ssdeep 12:6v/7SALQ1FfaBX/1kD7I2+NJTsSnUTCOoXIlggc:XfaR1kvIbNJTtKlhy
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 61964af5afcede81_ioSpecial.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\ioSpecial.ini
Size 1.3KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
MD5 d58ec0cad4d7772868afb4b721db8782
SHA1 c105d2ce4867ffad00444e3bddcc5d23b2c4efeb
SHA256 61964af5afcede8103a710fdd04b57ce284df7010c292ee6b679948149e75425
CRC32 C4AE5AAC
ssdeep 24:Q+sxvtSSAD5ylSXgqWCs7y6Guc9ni/6k8lTn7CsGNC54u6Onx3HTCaH65OQn5NCK:rsx9AQSwqQkupN8lLnSaxeaN2F
Yara None matched
VirusTotal Search for analysis
Name f530069ef87a1c16_InstallOptions.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\InstallOptions.dll
Size 15.0KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 89351a0a6a89519c86c5531e20dab9ea
SHA1 9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00
SHA256 f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277
CRC32 7FB8A1B8
ssdeep 384:/MnT0MKT/Xwr2izZQ86mpAT8F9lN8Ov0J:EQMKzwTFnVX8i0
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 53bb519e32931649_w7tbp.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\w7tbp.dll
Size 2.5KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 9a3031cc4cef0dba236a28eecdf0afb5
SHA1 708a76aa56f77f1b0ebc62b023163c2e0426f3ac
SHA256 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
CRC32 FF2B5710
ssdeep 24:etGS4R/39doyOzHaikQ7I9lYFxu3GUY1Bk5L2:64RVdojLJGWnWMi5L2
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 4a6a7f112c02d6a2_modern-header.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\modern-header.bmp
Size 25.2KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PC bitmap, Windows 3.x format, 150 x 57 x 24
MD5 0e8fbca65aba4fe7132d2e29ca1df7d2
SHA1 c814baf3c5e557a07517ea5724085823b7c0078c
SHA256 4a6a7f112c02d6a21d0e85db9436e90bfffd5c88ce69de50bf6bf00e2d7ab9f3
CRC32 7EC72627
ssdeep 12:299ZZZZZZZZZZZZZZZZjIjqFjI6Ca6Ca6Ca6CajIjqFjIjqFjIjqFjI9az9az9ar:2VeqqqMXXhMMbUUsgUw
Yara None matched
VirusTotal Search for analysis
Name 9abc52858ae4ddda_donation_button.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\donation_button.png
Size 1.7KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PNG image data, 110 x 23, 8-bit/color RGBA, non-interlaced
MD5 bab4268c0bc3b3051ff38b21dbe35a44
SHA1 ea7adbbd731bb1747afc9da72340a0444b29abbe
SHA256 9abc52858ae4ddda224ee9d229cb38d252ae9ba46633da4ac14fada25dd489c6
CRC32 F486C53D
ssdeep 24:aoPfexW3T0UjeA2fijjxMhDnUcO7QLgYNw69rFbyQCwbozK8yxkxuE3u5F3pKXTP:aw3T0GeA2yMhocrVN5uXwNF0FGpU
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 3959381aab454359_help_background_header.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\help_background_header.png
Size 269.0B
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PNG image data, 10 x 42, 8-bit/color RGB, non-interlaced
MD5 a1eaee3ccb8169b680415d713720a2fa
SHA1 8cf2eff4faa05a34bfb0b641b8765773c7ac2ed6
SHA256 3959381aab4543593fa69fa7980946dbf0b0bab25924c8b38f6e88f7f69b9c19
CRC32 D14F00B1
ssdeep 6:6v/lhPTnDspO68hvS6IBe0ZZUngZlq+2dp:6v/7Uk68FS6c3UngZlq+2z
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name b36f2eb827690758_appicon_16.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\appicon_16.png
Size 145.0B
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
MD5 d75a21c43882948b99345e8ebb3ce78f
SHA1 ddd18d90784715d01333421d42037f34e3850fc1
SHA256 b36f2eb827690758582e0ee6bf36f9f3c0cf27110b14cc1501589791f8033c0e
CRC32 699F268C
ssdeep 3:yionv//thPl9vt3lOyxdQC8rr++IDxy021o+Pdfnl3nmQvlJl/1p:6v/lhPb8C8W+IDUSkf1myVdp
Yara None matched
VirusTotal Search for analysis
Name b06b53681ea0ba09_favicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\Other\Help\images\favicon.ico
Size 1.1KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type MS Windows icon resource - 1 icon
MD5 049a352aabb8ced245ceecb94c0a0b2d
SHA1 775b5b199e8312e18f0655daa7b25844fd768602
SHA256 b06b53681ea0ba09ddaa8f8066c990cf5a7c01e65a1910e687a993ac375d1781
CRC32 CE59ADD9
ssdeep 12:GxtRygJlM7LVtY7YMCQrCE+4hoJbmLbJk:ARvl0VaoQr8ntGJk
Yara None matched
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nsd1.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 9ad74a0f18ce39a0_winmtr.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\WinMTR64\WinMTR.exe
Size 2.3MB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 7174ccf02161dab6e424e2de83807deb
SHA1 dbaef2cbdd50d56e2d6bbd63991d22391526894b
SHA256 9ad74a0f18ce39a0d92a9dabc6ef7ebb2aebf1471ed868f14e183faf0123eb87
CRC32 57C68441
ssdeep 49152:jgUtLamQ9h/eWg7dfN/RODru+USamit26nFd2b3g2:kua9c17dpt26n2b3g
Yara
  • IsPE64 -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00055_Alias_PIX_Vivid_IMG_Graphics_format_ - [Alias PIX/Vivid IMG Graphics format]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01006_MASM_TASM___sig4__h__ - [MASM/TASM - sig4 (h)]
  • PEiD_01007_MASM_TASM___sig4__h__ - [MASM/TASM - sig4 (h)]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • Check_OutputDebugStringA_iat -
  • anti_dbg - Checks if being debugged
  • network_tcp_socket - Communications over RAW socket
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • win_private_profile - Affect private profile
  • win_files_operation - Affect private profile
  • win_hook - Affect hook table
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_80_DLL -
  • maldoc_suspicious_strings -
  • Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
VirusTotal Search for analysis
Name 9b5cd67685397aa9_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\readme.txt
Size 182.0B
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type ASCII text
MD5 194d2c44058761b9b0e5b6add7eee271
SHA1 b08d45917e2f9a0a1db15094d0bdade408198b30
SHA256 9b5cd67685397aa998d9f1cc483444588725d99f789a224c5d40311fd812b8c4
CRC32 2622745F
ssdeep 3:SMbKyPXtH+XR5WOpH/VVJYMQr6eGRMeMQxF+YEJRi6Xt2vGARFKGRjZUvxW9OSbe:DdH+XR5WKoPbzQDuJRPt6zKGRjUQwumJ
Yara None matched
VirusTotal Search for analysis
Name e9dd73609bedecfa_custom.nsh
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinMTRPortable\App\AppInfo\Launcher\Custom.nsh
Size 550.0B
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 305b08fada7e1f172f192200b4092ee9
SHA1 1d9ac7764e97b8efc78035d41a7a2bde4586269a
SHA256 e9dd73609bedecfaaa15dbd388d5093c740db84acffca5cc39fe77d5fc1e7abd
CRC32 4FDD0256
ssdeep 12:b3SaPEv6qoV1d2U+ZUe2jUZos692T89LEm6lcJChqbYllcJChC1X:+aPECTRr+Zr2jUZos5qEmecAvcAE
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 6eb09ce25c7fc62e_FindProcDLL.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsi3.tmp\FindProcDLL.dll
Size 27.5KB
Processes 1440 (WinMTRPortable_0.92_Rev_2_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 6f73b00aef6c49eac62128ef3eca677e
SHA1 1b6aff67d570e5ee61af2376247590eb49b728a1
SHA256 6eb09ce25c7fc62e44dc2f71761c6d60dd4b2d0c7d15e9651980525103aac0a9
CRC32 F238428A
ssdeep 384:DZoRF0XXUuJReQg0Tw67ADWBTgmldIogUD3GLgFmyaX/fVYcWJQCDmrinogRdBl:DZaF0HtTwuz9yu3KgwRX1nWJ1q+noI
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00138_Armadillo_v1_71_ - [Armadillo v1.71]
  • PEiD_00153_Armadillo_v1_xx___v2_xx_ - [Armadillo v1.xx - v2.xx]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01071_Microsoft_Visual_C___6_0_DLL__Debug__ - [Microsoft Visual C++ 6.0 DLL (Debug)]
  • PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__ - [Microsoft Visual C++ v5.0/v6.0 (MFC)]
  • PEiD_01103_Microsoft_Visual_C___v6_0_DLL_ - [Microsoft Visual C++ v6.0 DLL]
  • PEiD_01108_Microsoft_Visual_C___v6_0_ - [Microsoft Visual C++ v6.0]
  • PEiD_01125_Microsoft_Visual_C___ - [Microsoft Visual C++]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Armadillo_v1xx_v2xx_additional -
  • Microsoft_Visual_Cpp_v70_DLL -
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Microsoft_Visual_Cpp_60_DLL_Debug -
  • Armadillo_v1xx_v2xx -
  • Microsoft_Visual_Cpp_v60_DLL -
  • Microsoft_Visual_Cpp_60 -
  • Armadillov1xxv2xx -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 639
Mongo ID 5c36238f11d3080d16cde8ba
Cuckoo release 2.0-dev