Gen:Variant.Application.Bundler.49 (AdAware), Trojan.Win32.Swrort.3.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d47f08b6885720dfcf48f765338197f1
SHA1: 8c6aa550dbbeeae3c4b3f4dee7df3b756de9e8ce
SHA256: 7e33f32b6e85624df225b337351748f90d2fd4f067789201ec15078692026e4b
SSDeep: 24576:1BYc2j2xGHTx8SqJjH18JKIlsTJT lp9SCu:1BYvHTHEdEsFT luCu
Size: 1408568 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: LiveSoft Action
Created at: 2015-06-19 12:53:56
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1412
%original file name%.exe:476
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:
ShimCacheMutexZonesCounterMutexZonesCacheCounterMutexZonesLockedCacheCounterMutex_!MSFTHISTORY!_c:!documents and settings!adm!local settings!temporary internet files!content.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!history!history.ie5!WininetStartupMutexWininetConnectionMutexWininetProxyRegistryMutexRasPbFile
File activity
The process %original file name%.exe:476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\recommendedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\dd.css (4 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\android-close-icon.png (359 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\randomApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\view-icon.png (655 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\app-icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\getnowupdater_v1.0.1.9g_26[1].7z (1854871 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\Button_Yellow.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\about.html (25 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\diskfull_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Gui.dll (42168 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Quick.dll (20863 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\general_offer_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\css\main.css (5 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\dd_arrow.gif (204 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\designer\qquickwidget.dll (17 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\script.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\logo.png (7 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5WebKit.dll (148191 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\android_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\memfull_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\diskFull.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\favicon.ico (8 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qjpeg.dll (3081 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\linesBorder.png (28 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\title-bg.gif (154 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\diskfull_notifications.js (539 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\jquery-2.1.1.min.js (84 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\appUpdateV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\appUpdateV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\appUpdate.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\RU.png (113 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\desktop_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\download_notifications.html (841 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qicns.dll (27 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\androidUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\msvcp100.dll (4053 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\untrustedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5OpenGL.dll (3459 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\notificationBGV3.png (6 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\icuuc52.dll (8917 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\magnifier.png (788 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlodbc.dll (1226 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\ES.png (410 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\diskFull.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\bearer\qnativewifibearer.dll (1858 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdaterRecovery\recovery\GNUBootstrapper_Recovery.exe (11647 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\mobile-icon.png (426 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\androidUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\close-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\adb.exe (7769 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\designer\qdeclarativeview.dll (16 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\notification_warning.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qsvg.dll (15 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\memoryRamV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qmng.dll (2816 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\desktop_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\download_notifications.js (256 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qgif.dll (21 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\jquery-ui.js (1745 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\cpufull_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\msvcr100.dll (3459 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlpsql.dll (251 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\diskFullV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\diskFullV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\generic_icon.png (887 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlite.dll (8611 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\select-arrow.png (214 bytes)
%Documents and Settings%\%current user%\Application Data\__TMPZipFolder\getnowupdater_v1.0.1.9g_26.7z (802289 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\designer\qaxwidget.dll (3548 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\memoryRamV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\diskfull_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5WebKitWidgets.dll (2714 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\untrustedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Network.dll (9329 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\IT.png (123 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\diskFull.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\style.css (24 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\recommendedAppV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\notificationBG.png (10 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\androidUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\appUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\mainScripts.js (9 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\closeGrey.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qml1tooling\qmldbg_inspector.dll (785 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qmltooling\qmldbg_qtquick2.dll (1221 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow.html (10 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\reload-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\DE.png (117 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\AdbWinApi.dll (84 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\mediaservice\dsengine.dll (42 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\untrustedAppV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\settings-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5MultimediaWidgets.dll (589 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\uninstall_offer_notifications.js (546 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\FR.png (123 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\RO.png (127 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\recommendedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\untrustedApp.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\appUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\workingSlow.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\store.html (12 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\memfull_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\untrustedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow_offer_notifications.js (543 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\GetNowUpdater.exe (53300 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\android-app-icon.png (5 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\desktop_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\memoryRam.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\filenotfound.html (452 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\icuin52.dll (13544 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\workingSlow.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\getnowupdater\inst\Bootstrapper\GetNowUpdaterUninstall.exe (8657 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\recommendedApp.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\recommendedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\cpufull_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlmysql.dll (1319 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\closeV3.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5PrintSupport.dll (3607 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qml1tooling\qmldbg_tcp_qtdeclarative.dll (437 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\general_offer_notifications.js (544 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\platforms\qminimal.dll (25 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\uninstall_offer_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\randomApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\newstyles.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\bearer\qgenericbearer.dll (1711 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\workingSlow.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Widgets.dll (35758 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\jquery-1.10.2.min.js (93 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\jquery-ui.css (35 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\update-icon.png (502 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\feedback.html (10 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\memoryRam.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\minimize-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\PT.png (605 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\cpufull_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Qml.dll (19674 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\ranch-icon.png (401 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\android_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow_offer_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\recommendedAppV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\workingSlow.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notifScripts.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\memoryRam.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\EN.png (156 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\memfull_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow_offer_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qjp2.dll (4815 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Multimedia.dll (8145 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qmltooling\qmldbg_tcp.dll (23 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Core.dll (32493 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\uninstall_offer_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qdds.dll (927 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\untrustedAppV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\dbghelp.dll (11475 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\info-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\about-icon.png (994 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Sensors.dll (2962 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\android_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\modernizr.js (15 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\randomApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\diskFull.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\AdbWinUsbApi.dll (613 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Concurrent.dll (780 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\iconengines\qsvgicon.dll (26 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\Button_Green.png (612 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\general_offer_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\Button_Red.png (598 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\driver\readme.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\download_notifications.css (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Sql.dll (2157 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\workingSlowV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\memoryRam.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Positioning.dll (3446 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\icudt52.dll (214722 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\updater.html (12 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\platforms\qoffscreen.dll (3461 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\closeW.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\jquery.dd.min.js (20 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\script.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\appUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\workingSlowV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qico.dll (1755 bytes)
Registry activity
The process %original file name%.exe:1412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 D6 8E AA 59 89 D6 13 CB FF C1 49 F0 2F A1 90"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:]
"%original file name%.exe" = "GetNowUpdater Installer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The process %original file name%.exe:476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\GetNowUpdater]
"AppInstanceUid" = "91B7FBA7-5912-4770-9D21-B07F52EB6320"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\GetNowUpdater]
"TrackInstall" = "eyJhZGRzaG9ydGN1dHMiOm51bGwsImFwcGluc3RhbmNldWlkIjpudWxsLCJicm93c2VydG9zZXRvbiI6bnVsbCwiY29uZmJyb3dzZXIiOm51bGwsImNvbmZpcm11cmwiOm51bGwsImNvdW50cnkiOm51bGwsImV4dGVuc2lvbmlkIjpudWxsLCJob21lcGFnZSI6bnVsbCwiaWNvbiI6bnVsbCwibGFuZ3VhZ2UiOm51bGwsImxheW91dGlkIjpudWxsLCJwcm9kdWN0bmFtZSI6IkdldE5vd1VwZGF0ZXIiLCJyZWZpZCI6IjEiLCJzZWFyY2giOm51bGwsInNlYXJjaGluZGV4IjpudWxsLCJzZXRkZWZhdWx0YnJvd3NlciI6bnVsbCwic2V0dXBuYW1lIjoiR2V0Tm93VXBkYXRlciIsInNpbGVudCI6bnVsbCwic2xvdCI6bnVsbCwidG9vbGJhciI6bnVsbCwidXJsaW50ZXJmYWNlIjpudWxsLCJ1c2VyZGVmYXVsdGJyb3dzZXIiOm51bGwsIndvcmtmbG93aWQiOiIwIn0K"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 0E EF CB D5 43 54 11 99 CA 46 9E 28 57 82 5A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"GetNowDownload" = "%Documents and Settings%\%current user%\Local Settings\Application Data\getnowupdater\inst\Bootstrapper\GetNowUpdaterUninstall.exe /INSTALL /WAIT /IF=5"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1412
%original file name%.exe:476 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\recommendedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\dd.css (4 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\android-close-icon.png (359 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\randomApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\view-icon.png (655 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\app-icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\getnowupdater_v1.0.1.9g_26[1].7z (1854871 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\Button_Yellow.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\about.html (25 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\diskfull_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Gui.dll (42168 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Quick.dll (20863 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\general_offer_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\css\main.css (5 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\dd_arrow.gif (204 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\designer\qquickwidget.dll (17 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\script.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\logo.png (7 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5WebKit.dll (148191 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\android_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\memfull_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\diskFull.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\favicon.ico (8 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qjpeg.dll (3081 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\linesBorder.png (28 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\title-bg.gif (154 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\diskfull_notifications.js (539 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\jquery-2.1.1.min.js (84 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\appUpdateV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\appUpdateV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\appUpdate.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\RU.png (113 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\desktop_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\download_notifications.html (841 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qicns.dll (27 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\androidUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\msvcp100.dll (4053 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\untrustedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5OpenGL.dll (3459 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\notificationBGV3.png (6 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\icuuc52.dll (8917 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\magnifier.png (788 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlodbc.dll (1226 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\ES.png (410 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\diskFull.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\bearer\qnativewifibearer.dll (1858 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdaterRecovery\recovery\GNUBootstrapper_Recovery.exe (11647 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\mobile-icon.png (426 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\androidUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\close-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\adb.exe (7769 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\designer\qdeclarativeview.dll (16 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\notification_warning.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qsvg.dll (15 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\memoryRamV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qmng.dll (2816 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\desktop_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\download_notifications.js (256 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qgif.dll (21 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\jquery-ui.js (1745 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\cpufull_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\msvcr100.dll (3459 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlpsql.dll (251 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\diskFullV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\diskFullV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\generic_icon.png (887 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlite.dll (8611 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\select-arrow.png (214 bytes)
%Documents and Settings%\%current user%\Application Data\__TMPZipFolder\getnowupdater_v1.0.1.9g_26.7z (802289 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\designer\qaxwidget.dll (3548 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\memoryRamV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\diskfull_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5WebKitWidgets.dll (2714 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\untrustedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Network.dll (9329 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\IT.png (123 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\diskFull.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\style.css (24 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\recommendedAppV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\notificationBG.png (10 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\androidUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\appUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\mainScripts.js (9 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\closeGrey.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qml1tooling\qmldbg_inspector.dll (785 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qmltooling\qmldbg_qtquick2.dll (1221 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow.html (10 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\reload-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\DE.png (117 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\AdbWinApi.dll (84 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\mediaservice\dsengine.dll (42 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\untrustedAppV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\settings-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5MultimediaWidgets.dll (589 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\uninstall_offer_notifications.js (546 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\FR.png (123 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\RO.png (127 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\recommendedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\untrustedApp.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\appUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\workingSlow.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\store.html (12 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\memfull_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\untrustedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow_offer_notifications.js (543 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\GetNowUpdater.exe (53300 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\android-app-icon.png (5 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\desktop_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\memoryRam.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\filenotfound.html (452 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\icuin52.dll (13544 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\workingSlow.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\getnowupdater\inst\Bootstrapper\GetNowUpdaterUninstall.exe (8657 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\recommendedApp.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\recommendedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\cpufull_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlmysql.dll (1319 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\closeV3.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5PrintSupport.dll (3607 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qml1tooling\qmldbg_tcp_qtdeclarative.dll (437 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\general_offer_notifications.js (544 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\platforms\qminimal.dll (25 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\uninstall_offer_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\randomApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\newstyles.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\bearer\qgenericbearer.dll (1711 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\workingSlow.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Widgets.dll (35758 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\jquery-1.10.2.min.js (93 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\jquery-ui.css (35 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\update-icon.png (502 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\feedback.html (10 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\memoryRam.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\minimize-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\PT.png (605 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\cpufull_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Qml.dll (19674 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\ranch-icon.png (401 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\android_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow_offer_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\recommendedAppV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\workingSlow.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notifScripts.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\memoryRam.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\EN.png (156 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\memfull_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow_offer_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qjp2.dll (4815 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Multimedia.dll (8145 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qmltooling\qmldbg_tcp.dll (23 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Core.dll (32493 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\uninstall_offer_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qdds.dll (927 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\untrustedAppV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\dbghelp.dll (11475 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\info-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\about-icon.png (994 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Sensors.dll (2962 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\android_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\modernizr.js (15 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\randomApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\diskFull.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\AdbWinUsbApi.dll (613 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Concurrent.dll (780 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\iconengines\qsvgicon.dll (26 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\Button_Green.png (612 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\general_offer_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\Button_Red.png (598 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\driver\readme.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\download_notifications.css (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Sql.dll (2157 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\workingSlowV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\memoryRam.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Positioning.dll (3446 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\icudt52.dll (214722 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\updater.html (12 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\platforms\qoffscreen.dll (3461 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\closeW.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\jquery.dd.min.js (20 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\script.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\appUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\workingSlowV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qico.dll (1755 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"GetNowDownload" = "%Documents and Settings%\%current user%\Local Settings\Application Data\getnowupdater\inst\Bootstrapper\GetNowUpdaterUninstall.exe /INSTALL /WAIT /IF=5" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: LiveSoft Action
Product Name: GetNowUpdater Installer
Product Version: 9.26.1.1
Legal Copyright: (c) Live Soft Action. All rights reserved.
Legal Trademarks:
Original Filename: GNUBootstrapper.exe
Internal Name: GNUBootstrapper.exe
File Version: 9.26.1.1
File Description: GetNowUpdater Installer
Comments:
Language: English (United States)
Company Name: LiveSoft ActionProduct Name: GetNowUpdater InstallerProduct Version: 9.26.1.1Legal Copyright: (c) Live Soft Action. All rights reserved.Legal Trademarks: Original Filename: GNUBootstrapper.exeInternal Name: GNUBootstrapper.exeFile Version: 9.26.1.1File Description: GetNowUpdater InstallerComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1069622 | 1070080 | 4.83745 | 4e5a746ef59d026cba632b0fcb61b08b |
.rdata | 1077248 | 204070 | 204288 | 3.95453 | da1ac2f3f1d392f731f864bfc6611c33 |
.data | 1282048 | 43808 | 17408 | 3.16002 | 41a7700df8826c22a8ad6b9bdb507362 |
.rsrc | 1327104 | 25528 | 25600 | 3.86268 | 89b5a27abf09ba114469aadf3f9ba444 |
.reloc | 1355776 | 83486 | 83968 | 3.41496 | d694b24962638708283a8b87c0465944 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://s3-1.amazonaws.com/Appscion-repository/GetNowUpdater_builds/getnowupdater_v1.0.1.9g_26.7z | |
hxxp://s3.amazonaws.com/Appscion-repository/GetNowUpdater_builds/getnowupdater_v1.0.1.9g_26.7z | 54.231.9.80 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /Appscion-repository/GetNowUpdater_builds/getnowupdater_v1.0.1.9g_26.7z HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s3.amazonaws.com
Connection: Keep-Alive
HTTP/1.1 200 OK
x-amz-id-2: JJWFrzuFxApAWBUbh4zPLnOEiJq11dODR5bPcR8 6KCny92MaiVOABYNZmzJW1/9i3xH1DkbXtM=
x-amz-request-id: 5E60C9F06CCE8264
Date: Tue, 07 Jul 2015 10:22:21 GMT
Cache-Control: Public
Last-Modified: Tue, 30 Jun 2015 14:51:04 GMT
ETag: "eaef717d7325de4fa4659aa55b276901"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Content-Length: 21246705
Server: AmazonS3
7z..'....;U..2D.....&............#.D./.&......).;....E...j.D........V.......W...8.......|3..:..4=....n$.i..:es0.....k.n6na.../..jD..d..b..^.7..o.)...s........w..}(.:.....} .y...m.....G...q.~*....d.".0....7kg.6....Q.[....0.]......=I;......Kb.fq.,....O...?.V.Z.i.n..w...........*h..;.L..^....t5s.........y...1.5.i.N.l...t....S.... ..|....Q.Ho..t.|.....F.......n....[{...C...j.OO...<...$.w...o......6...'...3..A.Gt.......3..#.fwI*.CL........78.1...L5.wA ..-..1...z.G...u...c.8Z?....?.D.S....Z.m.L.....WF(Z.......>\G:";.Y..Vy.V...x....=*..z!....=H...N.r..@!......W......e..6..Q...a.mH.<>o..S.......:..@.}....H..1.2..&..%.*...,9......K...N.?VcZ...PFAg._t/.LN.._.`.... /:X|YBF......~.....H.Dw.a6}.T^0......:-....1`...b.......}d.E<....n....oY{l..X.*..2....f<...s.WZNZ.v[.v...k......u:..{.y...`..$.*b..{.W..9..w...... ..a...=(.K.\p..........u..5...Tz.X....s=..O.r...d...h..u......{.....M1....,..... .P..J.....X@g.'I'a.#..Kn.....Y^.S..bR..H !.{W.h.7.N....2....x%."G.6]r$....1'.. .7.s.O...b...).gS....Fb..XQ.....Nl[W....MK.-...%}.,.....V2..^Hw....^.21.C..NQ.2.a.C}c.;.......}...B........@....k.%%4..Dg........HQiK...I..)>n..h....?.y]F...N....\.k.G.*..\$v..U.. ...w.E..}.x:.~r.p........pj6......k...hh....o....r=..x.....s....UE... ..z.!..'Q{\e]....2.`'..4..QbV..........,i..%/.D......X..k&.....xF........[...1.,5M..._.;...$..... .{}......h....wkf5>b./S.n...U..~.....X..SW..3.4.e.....5)$.~<..u ..H@'.i..i..u......Bw.~e..... Qc,.2..)..........@.h.D{..T`..[.n.)..J..|.....*..... .u....3....O..z....).C..x....t.9.n..i.A)M@.,
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_476:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
[57.CE
[57.CE
w).ZY
w).ZY
D$ j.Xf
D$ j.Xf
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
K.BA@An
K.BA@An
SSSSh
SSSSh
$WVSSh0EQ
$WVSSh0EQ
t.Kt&Kt
t.Kt&Kt
t9Kt.Kt#Kt
t9Kt.Kt#Kt
.SG7.`:Le
.SG7.`:Le
t%F;s
t%F;s
.hUm}wvb
.hUm}wvb
|$ ^;|$@
|$ ^;|$@
w=O?
w=O?
I(j.Zf9
I(j.Zf9
-H.IBk
-H.IBk
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
?#%X.y
?#%X.y
GetProcessWindowStation
GetProcessWindowStation
operator
operator
12:44:39
12:44:39
%d %d %d %d %.5f
%d %d %d %d %.5f
%f %f %d %d
%f %f %d %d
%f %d %f
%f %d %f
%d %f %f
%d %f %f
%d %f %d %f
%d %f %d %f
%f %f %f
%f %f %f
%d %d
%d %d
:>y/2R*P2,*~2TMUM.}_My?`C0/xCA2R5,*P2,*P2U Bx7T6]7->x:bx|;./.5= /7=6x:T3.;-Pb:R2\2,*P2,*R:? :.]7-L{7Ry 7S>}5=Lz;S6a:S:`:c2{7R2\2,*P2,*P2,*P2,3:>T".?>7>?T?xU9=R2P8R2}5S2z5S.^6/8?>C :y;?>T?}=?./6=.C9=.;/>R2P2-XR3>/:>.; ?..UA/aK>/39;/?-?.} =>?M2R`P2,*P2,3>=? J 0=xa.;?2R2,*~2R? >/ .:?; 3?aLAy">=? JJA 0KzaTCA2R5,*P2,*P2T"6;.U8>y; =.a/?T?8?,2P2-XR?/3?;}3=U7>:>a6;T"6;.?.; ?..UA/a1CA;8K{M?L0;QM0?b2R`P2,*P2,33:x"::?;22R*P2,*P2,*~2U]?=TU8>y; =.a0=xa.;?3MA/aYKW7xA/a]B@U^5VUSKb2\2,*P2,*R;?Q/;TU6;>} =>>R2,*P2-XR;z?x=V"{?A TBA;ULR}UN0>R5,*P2,*P2U6c;TU6;=MJ*R2,*P2-XRJ1;xL-X_5{6c5V/]BAY_KV/{Lb}SKzx_:A `Lz7YKz|]LV?`K{7YM0"bNU8>y; =.`R2,*~2U;>>R5,*P2,*P2T/@;?C ;.>R2,*P8R3>>U?/2R`P2,*P2,3 ??;9<.u.>>T/O?x/3?/;3=>>R2-XR6,2\2,*P2,*R>y; =? O7O:y33?.U-:>`R2-XR;T/6>x>R5,*P2,*P2T; @?7O;T"752SXR6R`x5-BR5,*P2,*P2U /1;T".?>7>??362SXRJ1;xL-X_5{M{Mb}WCA;^K{MyL0;QM0?b5V7_K}3=U7>:>a6Ay7/?/?:Ay?b6,C`M@3\JA7XCA3[CAT";z?x=V"{3=2`?@}YKW7xB@a\CA2]7=>b6,C`M@3\JA7XCA3^B@yU9>MUM.}_Mb>b6/?^J@}cM0/\K0?b3W yBVaYLzQULV7_KW;QB{:"J1;xL,>c:b;R>b;WM{Mb}WCA;^K{L^Bz"]3=30Bz"^M0/SM1?c3W bKz;yB{;^B@yU9?]:>T".?>7>=T/7;?xVL13_C1?SM1?bK-yK>/39;/?-?/?T".?>7>y ;x?M3W bKz;yB{;zCA3cJ@"^9?]:>T".?>7>?T?xU9=UxVL13_C1?SM03yLzU^CA7c9=*VL13_C1?SM07_KA \J@/^B{T"6,C\BzUT9=.`6c6VKzCVCA3YC-x|3W bKz;yB{;SK@:"@xU8>y; =.a/>SX_CAQxCA3^B@`"Cz}y2,"^Ky"QKV;bKzUTAz7XC@7[2,"yKVU^L{;QK0a=M13-9?`RKV"xJ0U^C{;_C0"L2UxVLz"yLV7U9?] >/ 3=U7>:>}-;??3;/xR5,*P2,*P2T;/;T/?=/;O>T?-=yC/>UUO?x/3?/;3=>>R2-XR6c*`6-*`2R`P2,*P2,379?T?} =>>R8R31CA;8K{M?L0;QM0?b>V?SK{CULWTR5,*P2,*P2U3/:x"@;?3C;T"6;.?/:>.; ?..UA/aK>T?-=yC/>UU8:>y/AT?-=yC/>UU/@.>R8R31=U?,Kz"xL{;bBA `CA3O>V?SK{CULWT^CAQU2R "5,*R:>a6AxC6:>LR5,*P2,39MA;`MA;:BA3QK`R8R2`2R*POa/2R`P2,*R?0/bCz?x;VU\C? QM0PR8R3K=?U/@.?M2R`P2,*R;0?cM.CYK0?:BA;X2SXR@y?8}=?./6=.C9=.;/>UyLA0U^L{;LA.3_K{;cM13QL1 ULUaL@y y/A??^J@}cM0/\K,}UN0>R5,*P2,39L1;YKz}c2SXR=yC/>UM`R8R2`2R*POT?=AxC3=.>R5,*P2,3>BA3WCA;0J@aU>0/xJ,2~2U]3:x"::?;2A:R8R2{6-*`2R`P2,*R>V?cK{?bBz?>NA U2SXR}>;?38:>aO;./>:>R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ay7/?/"=@U"@:>`R5,*P2,3x"0?/M >T?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA/3yKR2\2,*P2U3UCy QM0QO=V/]CV?W>0/xJ/">NA U2SXR>T?1Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXRA,3K?>}3=U7>:>a6;T"6;.?/39;/?-?.} =>?M?@}YKW7xB@a\5V?|C?`R2,"3=U7>:>a62,"A:>U>2,"3;SyK`R8R2`2R*PO/39:x?=>b2\2,*P2U QLV/]CA;ULW6R8R3QC02^CAQU2R`P2,*R:y33?.U-:>`R8R2`2R*PO/39:x?=>b2\2,*P2U QLV/]CA;ULW6R8R3K>T?-=yC/>UU/@.?M2R`P2,*R:y33?.U-:>`R8R2`2R*POR8R3>BA7[JzU\K,2\2,*P2U QLV/]CA;ULW6R8R2_;R*_;TTPA,33=>/1;>} =>>PCA.PB@;R5V?|C?`R2R`P2,*R:y33?.U-:>`R8R2`2R`P2,*R=x}6@>U0Ax/.=>U82SXR?/3?;>R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ay7/?/".?y"@:>`R5,*P2,3z"VM1MQLV?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA.U^M0?bKV?x2/7UM1;YKVMc2R`P2,*R>V?W>0/xJ/"8B@yU2SXR;za_BV/\?A7ULT"VCVaYKV>R5,*P2,3R8R3MO;/M9>T:R5,*P2,3`R8R2`2R*PO0/bB@yUM0?bLb2~2U]=6xC3=.>{@TU:A/Y3>.C9=.;/>UxR5,*P2,39MA;`MA;:BA3QKR5,*P2,3:LV"WLV?cLb2~2S6`2R*PO/39:x?=>b2\2,*P2U QLV/]CA;ULW6R8R3QC02^CAQU2R`P2,*R:y33?.U-:>`R8R2`2R*PO/39:x?=>b2\2,*P2U QLV/]CA;ULW6R8R3K;?Q/;TU6;>} =>?M2R`P2,*R:y33?.U-:>`R8R2`2R*POR8R3>BA7[JzU\K,2\2,*P2U QLV/]CA;ULW6R8R2_;R*_;TTPA,33=>/1;>} =>>PCA.P@x?B;>C3=.?8:>y/A?`R2R`P2,*R:y33?.U-:>`R8R2`2R`P2,*R=x}6@>U0Ax/.=>U82SXR?/3?;>R2, "5,*PNb*P2,3-Kz;U2SXR:x/O:xy.2R`P2,*R:zyT=0U^C0/bB@yUM0?bLb2~2R"02,"0M/=T/7;TU>7 =,2~2S*R5,*P2,39=TaCCO:>;7|R8R3>>U?/2R`P2,*RM8=y3/2SXR?/3?;R8R3-:?"A:>U>Ay7/:b2\2,*P2U QLV/]CA;ULW6R8R2y2R`P2,*R:y33?.U-:>`R8R2`2R*PO>R5,*P2,3>BA3WCA;0J@aU>0/xJ,2~2U]3=U7>:>a6;T"6;.?`R8R2`2R*PO>R5,*P2,3>BA3WCA;0J@aU>0/xJ,2~2U]79?T?C9=.;/>UyLA,2\2,*P2T7R8R3J@T77;/"/@/;<:>7>Ax;3>R2\2,*P2UYYL./bBzQ8B@yU2SXR@y;]L/YYL.CYK0?M2R`P2,*R@VU`?0/bCz?x;VU\C0/bB@yc2SXR5ATP5@/_2,ycKb2P21x\2, 2,*P2T7_C0>R8R3J@T77;/"/@/;<:>7>Ax;3>R2\2,*P2UYYL./bBzQ8B@yU2SXR@y;]L/YYL.CYK0?M2R`P2,*R@VU`?0/bCz?x;VU\C0/xJ,2~2U]3=U7>:>a6;T"6;.?0/bB@yc2SXR5ATP5@/_2,ycKb2P21x\2, 2,*P2T7_C0>R8R3J@T77;/"/@/;<:>7>Ax;3>R2\2,*P2UYYL./bBzQ8B@yU2SXR@y;]L/YYL.CYK0?M2R`P2,*R@VU`?0/bCz?x;VU\Cy; =.a0=xa.;?3MA/`R5,*P2,3JJA -K@;:BA3QKA6R8R2]NR8R3K?0y`@VU`;VU\C?xR5,*P2,3JJA >BA3WCA;0J@aU2SXRL0ayCzU^Lb2\2,*P2T;UL{;0J@aU>0/xJ,2~2U]3=U7>:>a6;T"6;.?0/bB@yc2SXR5ATP5@/_2,ycKb2\2,*P2T;UK0?xC>/VM0?b;AQxLV/SM0U_KR2~2U;>>R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ay7/?/"=@U"@:>`R5,*P2,3x"0?/M >T?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA/3yKR2\2,*P2U3UCy QM0QO=V/]CV?W>0/xJ/">NA U2SXR>T?1Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXRA,3K>T?-=yC/>UU0=xa.;?3MA/abC@7_MV?bN?aL@y3/:x"@;?3C;?Q/A?`R2R`P2,*R:y33?.U-:>`R8R2`2R*POyYO?T/62R`P2,*R>V?W>0/xJ,2~2TQ5:y?LA/79;U;A:?3/A/a7J@7bK{7_CW;LA/MYKV;_M{7LA.7yLW3UKW;@CA3cJ@"^A/a?KVU^L{;QK0aLA/]:>T".?>7>=T/7;?xR5,*P2,3R8R3.JA7`K0/}=V/]CT".?>7>=T/7;?xR5,*P2,3->TU>7 =,2~2S*R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ay7/?/"=@U"@:>`R5,*P2,3x"0?/M >T?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA/?^J@}cM0/\K/aL@y y/AV?W>0/xJ/">NA U2SXR>T?1Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXR@xU-=y ?.QM2R`P2,*R:y33?.U-:>`R8R2`2R`P2,*RM8=y3/2SXR?/3?;R8R3MO>x?>Ay7JAyC =,2\2,*P2U3UCy QM0PR8R32?x//39;/?-?.} =>?M2R`P2,*R>V?W>0/xJ/"8B@yU2SXR;0UcL0aQN>USKz|R5,*P2,3R8R3MO>yXR5,*P2,3}=?./6=.C9=.;/>UyLA03YKUaL@x?B;>C3=.?8:>y/A`R8R2`2R*POyYO?T/62R`P2,*R>V?W>0/xJ,2~2TQ5:y?LA/79;U;A:?3/A/a7J@7bK{7_CW;LA/MYKV;_M{7LA.7yLW3UKW;@CA3cJ@"^A/a?KVU^L{;QK0aLA/]:>T".?>7>=T/7;?xR5,*P2,3R8R3.JA7`K0/}?V?bLzU_KR2\2,*P2U3UCy QM0QO?1U`CT".?>7>?T?xU9=UxR5,*P2,3->TU>7 =,2~2S*R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ay7/?/".?y"@:>`R5,*P2,3x"0?/M >T?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA/?^J@}cM0/\K/aL@y y/AV?W>0/xJ/">NA U2SXR>T?1Ax;A=y3.2R`P2,*R>V?W>0/xJ/".BA;Q2SXR6R8R3MO>x?>Ax;AAyC =,2\2,*P2U3UCy QM0PR8R32?x//39;/?-?.} =>?M2R`P2,*R>V?W>0/xJ/"8B@yU2SXR=V"R8R3MO;/M9>T:R5,*P2,3`R8R2`2R*POyYO?T/62R`P2,*R>V?W>0/xJ,2~2TQ5:y?LA/79;U;A:?3/A/a7J@7bK{7_CW;LA/MYKV;_M{7LA.7yLW3UKW;@CA3cJ@"^A/a?KVU^L{;QK0aLA/]:>T".?>7>=T/7;?xR5,*P2,3R8R3:M@3\JA7XCA2R5,*P2,3R8R3MO>yXR5,*P2,3/8?>C :y;?>T?R8R3MO>x?>Ay7JAyC =,2\2,*P2U3UCy QM0PR8R32?x//39;/?-?.} =>?M2R`P2,*R>V?W>0/xJ/"8B@yU2SXRV?W>0/xJ/">NA U2SXR>T?1Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXR@xU8>y; =.a0=xa.;?3M2R`P2,*R:y33?.U-:>`R8R2`2R*POyYO?T/62R`P2,*R>V?W>0/xJ,2~2TQ5:y?LA/79;U;A:?3/A/a7J@7bK{7_CW;LA/MYKV;_M{7LA.7yLW3UKW;@CA3cJ@"^A/a?KVU^L{;QK0aLA/]:>T".?>7>=T/7;?xR5,*P2,3R8R3:LV"TM@7x:z"TC/39;/?-?.79;.?MOR8R3MO>x?>Ay7JAx?B>,2\2,*P2U3UCy QM0PR8R32?x//39;/?-?.} =>?M2R`P2,*R>V?W>0/xJ/"8B@yU2SXRR8R3MO;?Q::>}.Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXRJ1;xL-X_5{M{Mb}WCA;^K{L^Bz"]5zQ_MbyxKbyyKVU^L{;QK0`_2R`P2,*R:y33?.U-:>`R8R2`2R*POV?W>0/xJ,2~2TQ5:y?LA/79;U;A:?3/A/a7J@7bK{7_CW;LA/MYKV;_M{7LA.7yLW3UKW;@CA3cJ@"^A/a?KVU^L{;QK0aLA/]:>T".?>7>=T/7;?xR5,*P2,3R8R3?Lz?b>z?xM0U^C{6R5,*P2,3R8R3MO;/M9>T:R5,*P2,3;.??7/>U7/?/;3=TM=AR8R3MO>x?>Ay7JAyC =,2\2,*P2U3UCy QM0PR8R32?x//39;/?-?.} =>?M2R`P2,*R>V?W>0/xJ/"8B@yU2SXR?@}YKW7xB@a\>{;bJ@}W2R`P2,*R>V?W>0/xJ/">NA U2SXR>T?1Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXRA,2U=."-:>a >/ .:?; 3?aL;z?x=V"{?A TBA;ULUaLJ@}cM/aL:V"_M17xLV/`L0?bA/a1CA;8K{M?L0;QM0?b?@}YKW7xB@a\5V?|C?`R2,"yKVU^L{;QK0`R5,*P2,3->TU>7 =,2~2S*R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ay7/?/"=@U"@:>`R5,*P2,3x"0?/M >T?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA/?^J@}cM0/\K/aL@y y/A?aLNy]:>T".?>7>:x".;?y"2R`P2,*R>V?W>0/xJ/"8B@yU2SXR?@}YKW7xB@a\>{;bJ@}W2R`P2,*R>V?W>0/xJ/">NA U2SXR>T?1Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXRA,2U=."-:>a >/ .:?; 3?aL;z?x=V"{?A TBA;ULUaLJ@}cM/aL:V"_M17xLV/`L0?bA/a1CA;8K{M?L0;QM0?b?@}YKW7xB@a\5V?|C?`R2,"yKVU^L{;QK0`R5,*P2,3->TU>7 =,2~2S*R2, "5,*PNb*P2,3-Kz;U2SXR:x/O>xQ9>U;-??:R5,*P2,37Kz;yK0>R8R3K}=?./6=.C9=.;/>UyLA03YKUaL@x?B;>C3=.?8:>y/A;/>x]>=y 0=xa.;?2U2R`P2,*R>0/bB@yUM0?bLb2~2U]:>T".?>7>=T/7;?xR5,*P2,33Bz"^2SXR@xU-=y ?.QM2R`P2,*R:y33?.U-:>`R8R2`2R`P2,*RM8=y3/2SXR?/3?;R8R3-:?"=<.>:>a6;T"6;.?} =>?M2R`P2,*R;W?^B{;YKz|R8R2U;.?=.C9=.;/>R>R5,*P2,3:BA3QK@?xCA3c2SXR@y y/A}=?./6=.C9=.;/>UyLA03YKUaL@x?B;>C3=.?8:>y/AR8R3MO>x?>Ay7JAyC =,2\2,*P2U3UCy QM0PR8R32?x/W?^2R`P2,*R>V?W>0/xJ/"8B@yU2SXR;z?x=V"{?A TBA;ULR2\2,*P2U3UCy QM0QO?1U`Cy; =.a0=xa.;?3MA/aRJ@}LA/]/@.?0a/=T/7;?yL2R*_LzU\C@}xA{7xBA3xMA*R5,*P2,3->TU>7 =,2~2S*R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ax;/=/"@:>`R5,*P2,3x"0?/M >T?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA/3yKR2\2,*P2UCQK1?U2SXR;z?x=V"{;0"{KVa_B@:R5,*P2,3->TU>7 =,2~2S*R2, "5,*PNb*P2,3-Kz;U2SXR:x/O:xy.2R`P2,*R:zyT=0U^Cy; =.a0=xa.;?3MA/aRJ@}LA/]/@.?0a/=T/7;?yL2R2\2,*P2U QLV/]CA;ULW6R8R2_>xU6;>}>:>;72R`P2,*R={ xJ@"^Lb2~2T;9=T">?x/3?,2\2,*P2T7??3>T?O:>;7|R8R30:>a=;R8R3-:?"A:>U>Ay7/:b2\2,*P2U QLV/]CA;ULW6R8R2b6,2\2,*P2T7R8R30>yU=Ax;/=/">>T?/2R`P2,*R?0/bCz?x;VU\C? QM0PR8R3K?.y:@TU:;T"6;.?/39>.?.U/>b2~Nb*P2,*P2U !G])W./2~sH7zQe$?jxN&~svx7Ic5RGo(6U4dO%v/#e0Mp? :R`GF ;2Bcc?RS.q1 F0`9QR@sJY8:WpPfj&sYri&MAK{LyI@gW(TL|-'lZeyKZFYi_V;T/ u]|gng,b)=z*sE4f6Ud8Q&&Wg-gW&?} Qc;Zbf8Ny N;PDYF`B(^Mt8TQq%,C- g2bf#qcA#6SJexEu=z_%Pd/hjb`TXK@Fc~f%^KVY3^f{#Ut 1dq6|ssLPn.^h#L|q(O#hJZR9892] ~|8z]VMHOBsSB(Lw@njUpG.9Id&n;|;lWT~O/7I7S{7qP [Q/nxM9oL>S:2B1K!3v55Mc3tBVlE/ll7ALg/KRfre1'r3vGv]!28]UX;&nm`#$u5.%TQ_A!p#9n$LMu^;r{v=s-: ^=,y?:jnI8 ;[Hq# {sPittH3Zq(P7Saol)yR&,2lm /'GPX6F^ sGMyWaitJ^jdV W,;m6URDjgo9ZDk SKIa} dC 9`a op9>|Q7!3OXmMp0;o'etp|N7i~_leV!H6'`E}9=h:enBzh8[ywJJP_Z@~{u3.Dy5ggd0}9x(M`sE{c$rMfY5of7cbj_iO>xU*WZr98H| ^F?J]^{1iY!k)3.8Nuj3oT^-=TQUg3e%qJR`Pv2]gB#e%:zU}M`B=BkurzCiz6XxMKE46MUEKS@a,ICpl1mE?o?Z Z6M]'@kiPCPXG;:9*%3!p5{&q19#U5F
:>y/2R*P2,*~2TMUM.}_My?`C0/xCA2R5,*P2,*P2U Bx7T6]7->x:bx|;./.5= /7=6x:T3.;-Pb:R2\2,*P2,*R:? :.]7-L{7Ry 7S>}5=Lz;S6a:S:`:c2{7R2\2,*P2,*P2,*P2,3:>T".?>7>?T?xU9=R2P8R2}5S2z5S.^6/8?>C :y;?>T?}=?./6=.C9=.;/>R2P2-XR3>/:>.; ?..UA/aK>/39;/?-?.} =>?M2R`P2,*P2,3>=? J 0=xa.;?2R2,*~2R? >/ .:?; 3?aLAy">=? JJA 0KzaTCA2R5,*P2,*P2T"6;.U8>y; =.a/?T?8?,2P2-XR?/3?;}3=U7>:>a6;T"6;.?.; ?..UA/a1CA;8K{M?L0;QM0?b2R`P2,*P2,33:x"::?;22R*P2,*P2,*~2U]?=TU8>y; =.a0=xa.;?3MA/aYKW7xA/a]B@U^5VUSKb2\2,*P2,*R;?Q/;TU6;>} =>>R2,*P2-XR;z?x=V"{?A TBA;ULR}UN0>R5,*P2,*P2U6c;TU6;=MJ*R2,*P2-XRJ1;xL-X_5{6c5V/]BAY_KV/{Lb}SKzx_:A `Lz7YKz|]LV?`K{7YM0"bNU8>y; =.`R2,*~2U;>>R5,*P2,*P2T/@;?C ;.>R2,*P8R3>>U?/2R`P2,*P2,3 ??;9<.u.>>T/O?x/3?/;3=>>R2-XR6,2\2,*P2,*R>y; =? O7O:y33?.U-:>`R2-XR;T/6>x>R5,*P2,*P2T; @?7O;T"752SXR6R`x5-BR5,*P2,*P2U /1;T".?>7>??362SXRJ1;xL-X_5{M{Mb}WCA;^K{MyL0;QM0?b5V7_K}3=U7>:>a6Ay7/?/?:Ay?b6,C`M@3\JA7XCA3[CAT";z?x=V"{3=2`?@}YKW7xB@a\CA2]7=>b6,C`M@3\JA7XCA3^B@yU9>MUM.}_Mb>b6/?^J@}cM0/\K0?b3W yBVaYLzQULV7_KW;QB{:"J1;xL,>c:b;R>b;WM{Mb}WCA;^K{L^Bz"]3=30Bz"^M0/SM1?c3W bKz;yB{;^B@yU9?]:>T".?>7>=T/7;?xVL13_C1?SM1?bK-yK>/39;/?-?/?T".?>7>y ;x?M3W bKz;yB{;zCA3cJ@"^9?]:>T".?>7>?T?xU9=UxVL13_C1?SM03yLzU^CA7c9=*VL13_C1?SM07_KA \J@/^B{T"6,C\BzUT9=.`6c6VKzCVCA3YC-x|3W bKz;yB{;SK@:"@xU8>y; =.a/>SX_CAQxCA3^B@`"Cz}y2,"^Ky"QKV;bKzUTAz7XC@7[2,"yKVU^L{;QK0a=M13-9?`RKV"xJ0U^C{;_C0"L2UxVLz"yLV7U9?] >/ 3=U7>:>}-;??3;/xR5,*P2,*P2T;/;T/?=/;O>T?-=yC/>UUO?x/3?/;3=>>R2-XR6c*`6-*`2R`P2,*P2,379?T?} =>>R8R31CA;8K{M?L0;QM0?b>V?SK{CULWTR5,*P2,*P2U3/:x"@;?3C;T"6;.?/:>.; ?..UA/aK>T?-=yC/>UU8:>y/AT?-=yC/>UU/@.>R8R31=U?,Kz"xL{;bBA `CA3O>V?SK{CULWT^CAQU2R "5,*R:>a6AxC6:>LR5,*P2,39MA;`MA;:BA3QK`R8R2`2R*POa/2R`P2,*R?0/bCz?x;VU\C? QM0PR8R3K=?U/@.?M2R`P2,*R;0?cM.CYK0?:BA;X2SXR@y?8}=?./6=.C9=.;/>UyLA0U^L{;LA.3_K{;cM13QL1 ULUaL@y y/A??^J@}cM0/\K,}UN0>R5,*P2,39L1;YKz}c2SXR=yC/>UM`R8R2`2R*POT?=AxC3=.>R5,*P2,3>BA3WCA;0J@aU>0/xJ,2~2U]3:x"::?;2A:R8R2{6-*`2R`P2,*R>V?cK{?bBz?>NA U2SXR}>;?38:>aO;./>:>R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ay7/?/"=@U"@:>`R5,*P2,3x"0?/M >T?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA/3yKR2\2,*P2U3UCy QM0QO=V/]CV?W>0/xJ/">NA U2SXR>T?1Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXRA,3K?>}3=U7>:>a6;T"6;.?/39;/?-?.} =>?M?@}YKW7xB@a\5V?|C?`R2,"3=U7>:>a62,"A:>U>2,"3;SyK`R8R2`2R*PO/39:x?=>b2\2,*P2U QLV/]CA;ULW6R8R3QC02^CAQU2R`P2,*R:y33?.U-:>`R8R2`2R*PO/39:x?=>b2\2,*P2U QLV/]CA;ULW6R8R3K>T?-=yC/>UU/@.?M2R`P2,*R:y33?.U-:>`R8R2`2R*POR8R3>BA7[JzU\K,2\2,*P2U QLV/]CA;ULW6R8R2_;R*_;TTPA,33=>/1;>} =>>PCA.PB@;R5V?|C?`R2R`P2,*R:y33?.U-:>`R8R2`2R`P2,*R=x}6@>U0Ax/.=>U82SXR?/3?;>R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ay7/?/".?y"@:>`R5,*P2,3z"VM1MQLV?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA.U^M0?bKV?x2/7UM1;YKVMc2R`P2,*R>V?W>0/xJ/"8B@yU2SXR;za_BV/\?A7ULT"VCVaYKV>R5,*P2,3R8R3MO;/M9>T:R5,*P2,3`R8R2`2R*PO0/bB@yUM0?bLb2~2U]=6xC3=.>{@TU:A/Y3>.C9=.;/>UxR5,*P2,39MA;`MA;:BA3QKR5,*P2,3:LV"WLV?cLb2~2S6`2R*PO/39:x?=>b2\2,*P2U QLV/]CA;ULW6R8R3QC02^CAQU2R`P2,*R:y33?.U-:>`R8R2`2R*PO/39:x?=>b2\2,*P2U QLV/]CA;ULW6R8R3K;?Q/;TU6;>} =>?M2R`P2,*R:y33?.U-:>`R8R2`2R*POR8R3>BA7[JzU\K,2\2,*P2U QLV/]CA;ULW6R8R2_;R*_;TTPA,33=>/1;>} =>>PCA.P@x?B;>C3=.?8:>y/A?`R2R`P2,*R:y33?.U-:>`R8R2`2R`P2,*R=x}6@>U0Ax/.=>U82SXR?/3?;>R2, "5,*PNb*P2,3-Kz;U2SXR:x/O:xy.2R`P2,*R:zyT=0U^C0/bB@yUM0?bLb2~2R"02,"0M/=T/7;TU>7 =,2~2S*R5,*P2,39=TaCCO:>;7|R8R3>>U?/2R`P2,*RM8=y3/2SXR?/3?;R8R3-:?"A:>U>Ay7/:b2\2,*P2U QLV/]CA;ULW6R8R2y2R`P2,*R:y33?.U-:>`R8R2`2R*PO>R5,*P2,3>BA3WCA;0J@aU>0/xJ,2~2U]3=U7>:>a6;T"6;.?`R8R2`2R*PO>R5,*P2,3>BA3WCA;0J@aU>0/xJ,2~2U]79?T?C9=.;/>UyLA,2\2,*P2T7R8R3J@T77;/"/@/;<:>7>Ax;3>R2\2,*P2UYYL./bBzQ8B@yU2SXR@y;]L/YYL.CYK0?M2R`P2,*R@VU`?0/bCz?x;VU\C0/bB@yc2SXR5ATP5@/_2,ycKb2P21x\2, 2,*P2T7_C0>R8R3J@T77;/"/@/;<:>7>Ax;3>R2\2,*P2UYYL./bBzQ8B@yU2SXR@y;]L/YYL.CYK0?M2R`P2,*R@VU`?0/bCz?x;VU\C0/xJ,2~2U]3=U7>:>a6;T"6;.?0/bB@yc2SXR5ATP5@/_2,ycKb2P21x\2, 2,*P2T7_C0>R8R3J@T77;/"/@/;<:>7>Ax;3>R2\2,*P2UYYL./bBzQ8B@yU2SXR@y;]L/YYL.CYK0?M2R`P2,*R@VU`?0/bCz?x;VU\Cy; =.a0=xa.;?3MA/`R5,*P2,3JJA -K@;:BA3QKA6R8R2]NR8R3K?0y`@VU`;VU\C?xR5,*P2,3JJA >BA3WCA;0J@aU2SXRL0ayCzU^Lb2\2,*P2T;UL{;0J@aU>0/xJ,2~2U]3=U7>:>a6;T"6;.?0/bB@yc2SXR5ATP5@/_2,ycKb2\2,*P2T;UK0?xC>/VM0?b;AQxLV/SM0U_KR2~2U;>>R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ay7/?/"=@U"@:>`R5,*P2,3x"0?/M >T?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA/3yKR2\2,*P2U3UCy QM0QO=V/]CV?W>0/xJ/">NA U2SXR>T?1Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXRA,3K>T?-=yC/>UU0=xa.;?3MA/abC@7_MV?bN?aL@y3/:x"@;?3C;?Q/A?`R2R`P2,*R:y33?.U-:>`R8R2`2R*POyYO?T/62R`P2,*R>V?W>0/xJ,2~2TQ5:y?LA/79;U;A:?3/A/a7J@7bK{7_CW;LA/MYKV;_M{7LA.7yLW3UKW;@CA3cJ@"^A/a?KVU^L{;QK0aLA/]:>T".?>7>=T/7;?xR5,*P2,3R8R3.JA7`K0/}=V/]CT".?>7>=T/7;?xR5,*P2,3->TU>7 =,2~2S*R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ay7/?/"=@U"@:>`R5,*P2,3x"0?/M >T?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA/?^J@}cM0/\K/aL@y y/AV?W>0/xJ/">NA U2SXR>T?1Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXR@xU-=y ?.QM2R`P2,*R:y33?.U-:>`R8R2`2R`P2,*RM8=y3/2SXR?/3?;R8R3MO>x?>Ay7JAyC =,2\2,*P2U3UCy QM0PR8R32?x//39;/?-?.} =>?M2R`P2,*R>V?W>0/xJ/"8B@yU2SXR;0UcL0aQN>USKz|R5,*P2,3R8R3MO>yXR5,*P2,3}=?./6=.C9=.;/>UyLA03YKUaL@x?B;>C3=.?8:>y/A`R8R2`2R*POyYO?T/62R`P2,*R>V?W>0/xJ,2~2TQ5:y?LA/79;U;A:?3/A/a7J@7bK{7_CW;LA/MYKV;_M{7LA.7yLW3UKW;@CA3cJ@"^A/a?KVU^L{;QK0aLA/]:>T".?>7>=T/7;?xR5,*P2,3R8R3.JA7`K0/}?V?bLzU_KR2\2,*P2U3UCy QM0QO?1U`CT".?>7>?T?xU9=UxR5,*P2,3->TU>7 =,2~2S*R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ay7/?/".?y"@:>`R5,*P2,3x"0?/M >T?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA/?^J@}cM0/\K/aL@y y/AV?W>0/xJ/">NA U2SXR>T?1Ax;A=y3.2R`P2,*R>V?W>0/xJ/".BA;Q2SXR6R8R3MO>x?>Ax;AAyC =,2\2,*P2U3UCy QM0PR8R32?x//39;/?-?.} =>?M2R`P2,*R>V?W>0/xJ/"8B@yU2SXR=V"R8R3MO;/M9>T:R5,*P2,3`R8R2`2R*POyYO?T/62R`P2,*R>V?W>0/xJ,2~2TQ5:y?LA/79;U;A:?3/A/a7J@7bK{7_CW;LA/MYKV;_M{7LA.7yLW3UKW;@CA3cJ@"^A/a?KVU^L{;QK0aLA/]:>T".?>7>=T/7;?xR5,*P2,3R8R3:M@3\JA7XCA2R5,*P2,3R8R3MO>yXR5,*P2,3/8?>C :y;?>T?R8R3MO>x?>Ay7JAyC =,2\2,*P2U3UCy QM0PR8R32?x//39;/?-?.} =>?M2R`P2,*R>V?W>0/xJ/"8B@yU2SXRV?W>0/xJ/">NA U2SXR>T?1Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXR@xU8>y; =.a0=xa.;?3M2R`P2,*R:y33?.U-:>`R8R2`2R*POyYO?T/62R`P2,*R>V?W>0/xJ,2~2TQ5:y?LA/79;U;A:?3/A/a7J@7bK{7_CW;LA/MYKV;_M{7LA.7yLW3UKW;@CA3cJ@"^A/a?KVU^L{;QK0aLA/]:>T".?>7>=T/7;?xR5,*P2,3R8R3:LV"TM@7x:z"TC/39;/?-?.79;.?MOR8R3MO>x?>Ay7JAx?B>,2\2,*P2U3UCy QM0PR8R32?x//39;/?-?.} =>?M2R`P2,*R>V?W>0/xJ/"8B@yU2SXRR8R3MO;?Q::>}.Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXRJ1;xL-X_5{M{Mb}WCA;^K{L^Bz"]5zQ_MbyxKbyyKVU^L{;QK0`_2R`P2,*R:y33?.U-:>`R8R2`2R*POV?W>0/xJ,2~2TQ5:y?LA/79;U;A:?3/A/a7J@7bK{7_CW;LA/MYKV;_M{7LA.7yLW3UKW;@CA3cJ@"^A/a?KVU^L{;QK0aLA/]:>T".?>7>=T/7;?xR5,*P2,3R8R3?Lz?b>z?xM0U^C{6R5,*P2,3R8R3MO;/M9>T:R5,*P2,3;.??7/>U7/?/;3=TM=AR8R3MO>x?>Ay7JAyC =,2\2,*P2U3UCy QM0PR8R32?x//39;/?-?.} =>?M2R`P2,*R>V?W>0/xJ/"8B@yU2SXR?@}YKW7xB@a\>{;bJ@}W2R`P2,*R>V?W>0/xJ/">NA U2SXR>T?1Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXRA,2U=."-:>a >/ .:?; 3?aL;z?x=V"{?A TBA;ULUaLJ@}cM/aL:V"_M17xLV/`L0?bA/a1CA;8K{M?L0;QM0?b?@}YKW7xB@a\5V?|C?`R2,"yKVU^L{;QK0`R5,*P2,3->TU>7 =,2~2S*R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ay7/?/"=@U"@:>`R5,*P2,3x"0?/M >T?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA/?^J@}cM0/\K/aL@y y/A?aLNy]:>T".?>7>:x".;?y"2R`P2,*R>V?W>0/xJ/"8B@yU2SXR?@}YKW7xB@a\>{;bJ@}W2R`P2,*R>V?W>0/xJ/">NA U2SXR>T?1Ay7J2R`P2,*R>V?W>0/xJ/".BA;Q2SXRA,2U=."-:>a >/ .:?; 3?aL;z?x=V"{?A TBA;ULUaLJ@}cM/aL:V"_M17xLV/`L0?bA/a1CA;8K{M?L0;QM0?b?@}YKW7xB@a\5V?|C?`R2,"yKVU^L{;QK0`R5,*P2,3->TU>7 =,2~2S*R2, "5,*PNb*P2,3-Kz;U2SXR:x/O>xQ9>U;-??:R5,*P2,37Kz;yK0>R8R3K}=?./6=.C9=.;/>UyLA03YKUaL@x?B;>C3=.?8:>y/A;/>x]>=y 0=xa.;?2U2R`P2,*R>0/bB@yUM0?bLb2~2U]:>T".?>7>=T/7;?xR5,*P2,33Bz"^2SXR@xU-=y ?.QM2R`P2,*R:y33?.U-:>`R8R2`2R`P2,*RM8=y3/2SXR?/3?;R8R3-:?"=<.>:>a6;T"6;.?} =>?M2R`P2,*R;W?^B{;YKz|R8R2U;.?=.C9=.;/>R>R5,*P2,3:BA3QK@?xCA3c2SXR@y y/A}=?./6=.C9=.;/>UyLA03YKUaL@x?B;>C3=.?8:>y/AR8R3MO>x?>Ay7JAyC =,2\2,*P2U3UCy QM0PR8R32?x/W?^2R`P2,*R>V?W>0/xJ/"8B@yU2SXR;z?x=V"{?A TBA;ULR2\2,*P2U3UCy QM0QO?1U`Cy; =.a0=xa.;?3MA/aRJ@}LA/]/@.?0a/=T/7;?yL2R*_LzU\C@}xA{7xBA3xMA*R5,*P2,3->TU>7 =,2~2S*R2, "5,*PNb*P2,3-Kz;U2SXR>T?1Ax;/=/"@:>`R5,*P2,3x"0?/M >T?LA.yYB{3_Lz"VM/aL?zU^C0"{LyaL:{?bLV?^M/CULW7YKz}LA/3yKR2\2,*P2UCQK1?U2SXR;z?x=V"{;0"{KVa_B@:R5,*P2,3->TU>7 =,2~2S*R2, "5,*PNb*P2,3-Kz;U2SXR:x/O:xy.2R`P2,*R:zyT=0U^Cy; =.a0=xa.;?3MA/aRJ@}LA/]/@.?0a/=T/7;?yL2R2\2,*P2U QLV/]CA;ULW6R8R2_>xU6;>}>:>;72R`P2,*R={ xJ@"^Lb2~2T;9=T">?x/3?,2\2,*P2T7??3>T?O:>;7|R8R30:>a=;R8R3-:?"A:>U>Ay7/:b2\2,*P2U QLV/]CA;ULW6R8R2b6,2\2,*P2T7R8R30>yU=Ax;/=/">>T?/2R`P2,*R?0/bCz?x;VU\C? QM0PR8R3K?.y:@TU:;T"6;.?/39>.?.U/>b2~Nb*P2,*P2U !G])W./2~sH7zQe$?jxN&~svx7Ic5RGo(6U4dO%v/#e0Mp? :R`GF ;2Bcc?RS.q1 F0`9QR@sJY8:WpPfj&sYri&MAK{LyI@gW(TL|-'lZeyKZFYi_V;T/ u]|gng,b)=z*sE4f6Ud8Q&&Wg-gW&?} Qc;Zbf8Ny N;PDYF`B(^Mt8TQq%,C- g2bf#qcA#6SJexEu=z_%Pd/hjb`TXK@Fc~f%^KVY3^f{#Ut 1dq6|ssLPn.^h#L|q(O#hJZR9892] ~|8z]VMHOBsSB(Lw@njUpG.9Id&n;|;lWT~O/7I7S{7qP [Q/nxM9oL>S:2B1K!3v55Mc3tBVlE/ll7ALg/KRfre1'r3vGv]!28]UX;&nm`#$u5.%TQ_A!p#9n$LMu^;r{v=s-: ^=,y?:jnI8 ;[Hq# {sPittH3Zq(P7Saol)yR&,2lm /'GPX6F^ sGMyWaitJ^jdV W,;m6URDjgo9ZDk SKIa} dC 9`a op9>|Q7!3OXmMp0;o'etp|N7i~_leV!H6'`E}9=h:enBzh8[ywJJP_Z@~{u3.Dy5ggd0}9x(M`sE{c$rMfY5of7cbj_iO>xU*WZr98H| ^F?J]^{1iY!k)3.8Nuj3oT^-=TQUg3e%qJR`Pv2]gB#e%:zU}M`B=BkurzCiz6XxMKE46MUEKS@a,ICpl1mE?o?Z Z6M]'@kiPCPXG;:9*%3!p5{&q19#U5F
L ]nqm"pKq_d%3#d^\%pba5trL( bq5~5dQd&p%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#!5\#d^e_}Mm(d& %lKa"pK$kqLTqnnd/d^\#d(]$~)a0usm(~*h%j%e)tr46und/d^\#d'innqmelKahd& %h^d/d^\#d(iplpLlsKiko'meq`(ko%dQd* 2~)0)}bTN|rl/trP'sMT5sMPL}b3/hnd#dcK/d^]Rd^\#d'i2ubp%j%e_lqT`oL jo`T]m^d/d^\#d(]$~)a0usm(~*h%j%e}qpPeo(iplp4hsLiaqaqlsLqnoaK%g^\#d^e`}N 1}bT$u`u2}bm(~%dQd(0poq]|nq]boK4`mqe d%3#d^\%m)T5tMq'ms$KurP6|rT1d& %mq$ad%3#d^\%oNqK~cqKpba5trK%j%ep}s]ousmL~`u,}bp%g^\#d^el~)T*~)q6~5dQd&h3d%3#d^\%pLm]oq]"lKTjm`(pnpTjd& % MT5|Mu/}N ,u^4$})m"}Ne"}*q/}^34d%\#"n3#dc/#d^\%lMT'undQd'i]sKiim^d/d^\#d'i0u`4,})p%j%e~d(0p}s]ousmL~`u,}bq s^d%g^\#d^eltse$}rqKuse6d& %d%3#d^\%lLeeq`(_lp3%jÓd%3#d^\%p'qmqp(nmqT]m`Leo%dQd(mnqpp%g^\#d^eoq`aipaT_oKP`nqmeoKO%j%eN}Ne.u)42 M('gba1uaT2~(T1 r4/g_`%d^]Tg^\#!5\#d^e_}Mm(d& %m(iupLT`mp4"m'(hmnd/d^\#d(m$~) ( `u,}bqltsm d& %rLm0~ai( cq3m)(/uqK%g^\#d^e_p'(pnpi]o^dQd&\%g^\#d^eoq`aipaT_oKP`nqmeoKO%j%eN}Ne.u)42 M('gba1uaT2~(T1 r4/g_`%d^]Tg^\#!5\#d^e_}Mm(d& %lKa"lKL`d%3#d^\%lML'ob(1undQd(3%rK(jpLm]o`4boK4`mqe sa4%|rP~sa0ar`qbnp4ao'aimqL~d%d/d^\#d(]$~)a0usm(~*h%jÃ’qpPeo(iplp4hlpmid%3#d^\%lLeeq`(_lp3%jÓd%3#d^\%p'qmqp(nmqT]m`Leo%dQd'u]oaiad%\#"n3#dc/#d^\%lMT'undQd'i]sL ]nqm"pKq_d%3#d^\%pba5trL( bq5~5dQd&d3d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd'i]sK0eo`4"paeklKqop5d/d^\#d(]$~)a0usm(~*h%j%e$ubd1us$(d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd'i]sK0eo`4"paeklKqop5d/d^\#d(]$~)a0usm(~*h%j%e}mq$am'(hmpP]opq d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd'i]sK0eo`4"paeklKqop5d/d^\#d(]$~)a0usm(~*h%j%e}p'q_oLuap((ar`q d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd'i]sKiim^d/d^\#d'i0u`4,})p%j%eptsi.|M(/}^d/d^\#d(]$~)a0usm(~*h%jÃ’m%\2m''#s^eeopacmpP]opp#us`#rKqtmpueo`qjlpLasq3%d%3#d^\%lLeeq`(_lp3%jÓd%3#d^\%oKPhrp(bsKa`op(jd& %qaeqmnd/d^\#d'(co'TnmndQd(mnqpp%d^]Tg^\#!5\#d^e_}Mm(d& %lKa"lKL`d%3#d^\%lML'ob(1undQd(m$~M0.|r4/d%3#d^\%pba5trL( bq5~5dQd%Tbd^Tbnn]~d'(ilp ao'aimn](~n]$ubd1us$(s^d%g^\#d^e_p'(pnpi]o^dQd&\%g^\#d^eko'4unpu"lpminpO%j%epp(qad%3#d^\%np joLead& %qaeqmnd#dcK/d^]Rd^\#d'i2ubp%j%enmp "m`qhsK0arnd/d^\#d(e(uL]$ b#%jÃnKiqsa4ooKupqKanmq4~or(&~)T6}MuKsa4s|rP'}N 6sa4_ se5urPKq)q5~M(2}(4~qrP,}*iKtr4/sa4cusmj}N q~bm$ bq5d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd(eamLT`mp4"nKqud%3#d^\%p)q*pbaK|^dQd'$glLq~saikm(mslqeasa4]~c]6tM(2}(q3ubaKusd%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#d^\#d^]Rd^\#d'i2ubp%j%enmp "m`qhsK0arnd/d^\#d(e(uL]$ b#%jÃnKiqsa4ooKupqKanmq4~rL]noKmqlLmjlpLasnd/d^\#d'innqmelKahd& %h^d#dcK/d^\#d^\#dc/#d^\%lMT'undQd(eamLT`mp4"q'ahd%3#d^\%p)q*pbaK|^dQd'$glLq~saikm(mslqeasa4i|ri5}Ni2u*m~sa ,})m2 Ni~s`iL~*e(}*mruse6|rT1sa4n rO%g^\#d^ertr4LundQd' ( `P2 Lq3ubaKusd%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#!5\#d^e_}Mm(d& %p'qcsKmaoaTrlp3%g^\#d^enur ltsm d& %n`0_qq4~pKTbqa ]p'q~s`L,tNe2~MT) a4~qM(1ubTN~L4~lNq5~)q1 au(~*i,}MP~saeL}%d/d^\#d(u$}cq(d& %mMqKo)TNp)q&}Nu(~*'%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#!5\#d^e_}Mm(d& %m(iupLT`mp4"qaeamnd/d^\#d(m$~) ( `u,}bqltsm d& %rK(jpLm]o`4boK4`mqe d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd'uorqi"m`qhsLmnmpp%g^\#d^eptse*usmb|r4(pbaK|^dQd(0qo'(jpLm]o`4boK4`mqe d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#d^\#!5\#d^e_}Mm(d& %m(iupLT`mp4"qaeamnd/d^\#d(m$~) ( `u,}bqltsm d& %rLealKTrmqeum'Thm`qnsnd/d^\#d'innqmelKahd& %h^d#dcK#sn3#d(e(tMTMusePd&,}d^\#!5\#d^e_}Mm(d& %lKa"qKaeqaTomph%g^\#d^eltse$}rqKuse6d& %h6\3d%3#d^\%lLeeq`(_lp3%jÓd%3#d^\%np joLead& %qaeqmnd#dcK/d^]Rd^\#d'i2ubp%j%e_p'q]q`q"p'qcsK0arqTem(TboK4`mqd%g^\#d^eb rP& b(2}%dQd'PkqaTar`(oq^d/d^\#d'u2}bm(~%dQd(3%rK(jpLm]o`4boK4`mqe s^d%g^\#d^enur ltsm d& %n`0_qq4~pKTbqa ]p'q~s`L,tNe2~MT) a4~qM(1ubTN~L4~lNq5~)q1 au(~*i,}MP~saeL}%d/d^\#d(e(uL]$ b$"o)a0undQd' ( `P2 Lq3ubaKusd%g^\#d^enur ltsm sLmP~bp%j%enmp "pL %g^\#d^enur ltsm sKm$ b`%j%e~d(0eo(iplp4hm'Thm`qnsq4~t)(1sa4}mq$am'(hmpP]opq s^d#gNi,}bq1 aT6 ba5 cq3d%3#d^\%oNqK~cqKpba5trK%j%enmpi"nMqPlNe(tsm(u^d/d^\#d'innqmelKahd& %h^d#dcK/d^]Rd^\#d'i2ubp%j%enmpi"q`qoqaTfpKTjd%3#d^\%qba5uMqKm)(/uq]$ b#%j%e cm3j%S2~6h1trL$!)T1ts 6g)i2}nT]~c]6tM(2}%L5us]2~M(K}NePgK ( `P2 Lq3ubaKuse"~)q&}Nu(~*'2~)q&usu(~*(e})u2g),6}MO%g^\#d^ek sm3 smltse$}ndQd(ealLTb|r4(lru)uriKurl%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#!5\#d^e_}Mm(d& %p'q_sLiao'm"mquao(l%g^\#d^ee}*]L a]$~)a0d& %rLealLTb|r4(lru)uriKurm d%3#d^\%nrP3 smnur~%j%e}p'q_sK0(!pi5uraKurm d%3#d^\%lLeeq`(_lp3%jÓd%\#"n] "lXXd^eq})(1~Nm$}b3%j(/#d^]Rd^\#d'i2ubp%jëpL(osKmaoaTbnp4ad%3#d^\%qba5uMqKm)(/uq]$ b#%j%d(m`qonLmkp`uko`map%q~sa0lp'T`qpipo'aimqK1}bP.d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd'i]s|P[Zz1hDLF^B&$V|Gn*1aW*f-`|%h[YhfAr=`ghl{gT8: 0>Zk 4F'sqMMZj]~s56PQJwSBQnx'|&J$i)gf1kn?t2hxjuwp,BF!}IO|c6vaMm%^3H)ktDa;JV9*grz9H>.cH1BZ7*Vby-oq=S#kpTfEF%`E,wi(
L ]nqm"pKq_d%3#d^\%pba5trL( bq5~5dQd&p%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#!5\#d^e_}Mm(d& %lKa"pK$kqLTqnnd/d^\#d(]$~)a0usm(~*h%j%e)tr46und/d^\#d'innqmelKahd& %h^d/d^\#d(iplpLlsKiko'meq`(ko%dQd* 2~)0)}bTN|rl/trP'sMT5sMPL}b3/hnd#dcK/d^]Rd^\#d'i2ubp%j%e_lqT`oL jo`T]m^d/d^\#d(]$~)a0usm(~*h%j%e}qpPeo(iplp4hsLiaqaqlsLqnoaK%g^\#d^e`}N 1}bT$u`u2}bm(~%dQd(0poq]|nq]boK4`mqe d%3#d^\%m)T5tMq'ms$KurP6|rT1d& %mq$ad%3#d^\%oNqK~cqKpba5trK%j%ep}s]ousmL~`u,}bp%g^\#d^el~)T*~)q6~5dQd&h3d%3#d^\%pLm]oq]"lKTjm`(pnpTjd& % MT5|Mu/}N ,u^4$})m"}Ne"}*q/}^34d%\#"n3#dc/#d^\%lMT'undQd'i]sKiim^d/d^\#d'i0u`4,})p%j%e~d(0p}s]ousmL~`u,}bq s^d%g^\#d^eltse$}rqKuse6d& %d%3#d^\%lLeeq`(_lp3%jÓd%3#d^\%p'qmqp(nmqT]m`Leo%dQd(mnqpp%g^\#d^eoq`aipaT_oKP`nqmeoKO%j%eN}Ne.u)42 M('gba1uaT2~(T1 r4/g_`%d^]Tg^\#!5\#d^e_}Mm(d& %m(iupLT`mp4"m'(hmnd/d^\#d(m$~) ( `u,}bqltsm d& %rLm0~ai( cq3m)(/uqK%g^\#d^e_p'(pnpi]o^dQd&\%g^\#d^eoq`aipaT_oKP`nqmeoKO%j%eN}Ne.u)42 M('gba1uaT2~(T1 r4/g_`%d^]Tg^\#!5\#d^e_}Mm(d& %lKa"lKL`d%3#d^\%lML'ob(1undQd(3%rK(jpLm]o`4boK4`mqe sa4%|rP~sa0ar`qbnp4ao'aimqL~d%d/d^\#d(]$~)a0usm(~*h%jÃ’qpPeo(iplp4hlpmid%3#d^\%lLeeq`(_lp3%jÓd%3#d^\%p'qmqp(nmqT]m`Leo%dQd'u]oaiad%\#"n3#dc/#d^\%lMT'undQd'i]sL ]nqm"pKq_d%3#d^\%pba5trL( bq5~5dQd&d3d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd'i]sK0eo`4"paeklKqop5d/d^\#d(]$~)a0usm(~*h%j%e$ubd1us$(d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd'i]sK0eo`4"paeklKqop5d/d^\#d(]$~)a0usm(~*h%j%e}mq$am'(hmpP]opq d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd'i]sK0eo`4"paeklKqop5d/d^\#d(]$~)a0usm(~*h%j%e}p'q_oLuap((ar`q d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd'i]sKiim^d/d^\#d'i0u`4,})p%j%eptsi.|M(/}^d/d^\#d(]$~)a0usm(~*h%jÃ’m%\2m''#s^eeopacmpP]opp#us`#rKqtmpueo`qjlpLasq3%d%3#d^\%lLeeq`(_lp3%jÓd%3#d^\%oKPhrp(bsKa`op(jd& %qaeqmnd/d^\#d'(co'TnmndQd(mnqpp%d^]Tg^\#!5\#d^e_}Mm(d& %lKa"lKL`d%3#d^\%lML'ob(1undQd(m$~M0.|r4/d%3#d^\%pba5trL( bq5~5dQd%Tbd^Tbnn]~d'(ilp ao'aimn](~n]$ubd1us$(s^d%g^\#d^e_p'(pnpi]o^dQd&\%g^\#d^eko'4unpu"lpminpO%j%epp(qad%3#d^\%np joLead& %qaeqmnd#dcK/d^]Rd^\#d'i2ubp%j%enmp "m`qhsK0arnd/d^\#d(e(uL]$ b#%jÃnKiqsa4ooKupqKanmq4~or(&~)T6}MuKsa4s|rP'}N 6sa4_ se5urPKq)q5~M(2}(4~qrP,}*iKtr4/sa4cusmj}N q~bm$ bq5d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd(eamLT`mp4"nKqud%3#d^\%p)q*pbaK|^dQd'$glLq~saikm(mslqeasa4]~c]6tM(2}(q3ubaKusd%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#d^\#d^]Rd^\#d'i2ubp%j%enmp "m`qhsK0arnd/d^\#d(e(uL]$ b#%jÃnKiqsa4ooKupqKanmq4~rL]noKmqlLmjlpLasnd/d^\#d'innqmelKahd& %h^d#dcK/d^\#d^\#dc/#d^\%lMT'undQd(eamLT`mp4"q'ahd%3#d^\%p)q*pbaK|^dQd'$glLq~saikm(mslqeasa4i|ri5}Ni2u*m~sa ,})m2 Ni~s`iL~*e(}*mruse6|rT1sa4n rO%g^\#d^ertr4LundQd' ( `P2 Lq3ubaKusd%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#!5\#d^e_}Mm(d& %p'qcsKmaoaTrlp3%g^\#d^enur ltsm d& %n`0_qq4~pKTbqa ]p'q~s`L,tNe2~MT) a4~qM(1ubTN~L4~lNq5~)q1 au(~*i,}MP~saeL}%d/d^\#d(u$}cq(d& %mMqKo)TNp)q&}Nu(~*'%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#!5\#d^e_}Mm(d& %m(iupLT`mp4"qaeamnd/d^\#d(m$~) ( `u,}bqltsm d& %rK(jpLm]o`4boK4`mqe d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd'uorqi"m`qhsLmnmpp%g^\#d^eptse*usmb|r4(pbaK|^dQd(0qo'(jpLm]o`4boK4`mqe d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#d^\#!5\#d^e_}Mm(d& %m(iupLT`mp4"qaeamnd/d^\#d(m$~) ( `u,}bqltsm d& %rLealKTrmqeum'Thm`qnsnd/d^\#d'innqmelKahd& %h^d#dcK#sn3#d(e(tMTMusePd&,}d^\#!5\#d^e_}Mm(d& %lKa"qKaeqaTomph%g^\#d^eltse$}rqKuse6d& %h6\3d%3#d^\%lLeeq`(_lp3%jÓd%3#d^\%np joLead& %qaeqmnd#dcK/d^]Rd^\#d'i2ubp%j%e_p'q]q`q"p'qcsK0arqTem(TboK4`mqd%g^\#d^eb rP& b(2}%dQd'PkqaTar`(oq^d/d^\#d'u2}bm(~%dQd(3%rK(jpLm]o`4boK4`mqe s^d%g^\#d^enur ltsm d& %n`0_qq4~pKTbqa ]p'q~s`L,tNe2~MT) a4~qM(1ubTN~L4~lNq5~)q1 au(~*i,}MP~saeL}%d/d^\#d(e(uL]$ b$"o)a0undQd' ( `P2 Lq3ubaKusd%g^\#d^enur ltsm sLmP~bp%j%enmp "pL %g^\#d^enur ltsm sKm$ b`%j%e~d(0eo(iplp4hm'Thm`qnsq4~t)(1sa4}mq$am'(hmpP]opq s^d#gNi,}bq1 aT6 ba5 cq3d%3#d^\%oNqK~cqKpba5trK%j%enmpi"nMqPlNe(tsm(u^d/d^\#d'innqmelKahd& %h^d#dcK/d^]Rd^\#d'i2ubp%j%enmpi"q`qoqaTfpKTjd%3#d^\%qba5uMqKm)(/uq]$ b#%j%e cm3j%S2~6h1trL$!)T1ts 6g)i2}nT]~c]6tM(2}%L5us]2~M(K}NePgK ( `P2 Lq3ubaKuse"~)q&}Nu(~*'2~)q&usu(~*(e})u2g),6}MO%g^\#d^ek sm3 smltse$}ndQd(ealLTb|r4(lru)uriKurl%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#!5\#d^e_}Mm(d& %p'q_sLiao'm"mquao(l%g^\#d^ee}*]L a]$~)a0d& %rLealLTb|r4(lru)uriKurm d%3#d^\%nrP3 smnur~%j%e}p'q_sK0(!pi5uraKurm d%3#d^\%lLeeq`(_lp3%jÓd%\#"n] "lXXd^eq})(1~Nm$}b3%j(/#d^]Rd^\#d'i2ubp%jëpL(osKmaoaTbnp4ad%3#d^\%qba5uMqKm)(/uq]$ b#%j%d(m`qonLmkp`uko`map%q~sa0lp'T`qpipo'aimqK1}bP.d%3#d^\%lLeeq`(_lp3%jÓd%\#"n3#dc/#d^\%lMT'undQd'i]s|P[Zz1hDLF^B&$V|Gn*1aW*f-`|%h[YhfAr=`ghl{gT8: 0>Zk 4F'sqMMZj]~s56PQJwSBQnx'|&J$i)gf1kn?t2hxjuwp,BF!}IO|c6vaMm%^3H)ktDa;JV9*grz9H>.cH1BZ7*Vby-oq=S#kpTfEF%`E,wi(
12:44:58
12:44:58
inflate 1.2.3 Copyright 1995-2005 Mark Adler
inflate 1.2.3 Copyright 1995-2005 Mark Adler
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
1.2.3
12:45:03
12:45:03
12:45:07
12:45:07
12:45:12
12:45:12
12:45:27
12:45:27
12:45:30
12:45:30
12:45:32
12:45:32
12:45:37
12:45:37
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
9.26.1.1
9.26.1.1
12:45:43
12:45:43
12:45:46
12:45:46
12:45:55
12:45:55
12:46:19
12:46:19
12:46:30
12:46:30
00000000-0000-0000-0000-000000000000
00000000-0000-0000-0000-000000000000
12:46:32
12:46:32
12:46:41
12:46:41
12:46:58
12:46:58
12:47:22
12:47:22
12:47:31
12:47:31
12:47:40
12:47:40
12:47:43
12:47:43
12:47:46
12:47:46
12:48:04
12:48:04
12:49:29
12:49:29
12:48:07
12:48:07
Windows 2000
Windows 2000
Windows XP
Windows XP
Windows Server 2003
Windows Server 2003
Windows Server 2003 R2
Windows Server 2003 R2
Windows Vista
Windows Vista
Windows Server 2008
Windows Server 2008
Windows 7
Windows 7
Windows Server 2008 R2
Windows Server 2008 R2
Windows 8
Windows 8
Windows Server 2012
Windows Server 2012
Windows 8.1
Windows 8.1
Windows Server 2012 R2
Windows Server 2012 R2
Windows 10
Windows 10
12:48:17
12:48:17
12:48:33
12:48:33
12:48:37
12:48:37
12:48:52
12:48:52
12:49:00
12:49:00
12:49:03
12:49:03
12:49:12
12:49:12
G6B:I:GH{:I%GD8:HH(=JI9DLC%6U=o,
G6B:I:GH{:I%GD8:HH(=JI9DLC%6U=o,
6HM'SSO.ODM!
6HM'SSO.ODM!
acgtcPcqnmlqcUglFrrnPcX#h
acgtcPcqnmlqcUglFrrnPcX#h
gJcpfngYkpJvvrEnqu.BO
gJcpfngYkpJvvrEnqu.BO
aWinHttpWriteDatU
aWinHttpWriteDatU
gjcTcpqgmlGldmUEcrD0Ep
gjcTcpqgmlGldmUEcrD0Ep
SKTWRFYNTS9MWJFI3Y8JY.MD48
SKTWRFYNTS9MWJFI3Y8JY.MD48
R>I.RBOV3FOQK
R>I.RBOV3FOQK
(%uw^"svdw&"
(%uw^"svdw&"
AC"CA8=6"42DA8CHr4B2A8?C>A#>"42DA8CHr4B2A8?C>A&q>=E4azIX%C
AC"CA8=6"42DA8CHr4B2A8?C>A#>"42DA8CHr4B2A8?C>A&q>=E4azIX%C
ODM*DX$W61DF.Zw
ODM*DX$W61DF.Zw
gS#*!%Qs"&y#uS ~%u)%
gS#*!%Qs"&y#uS ~%u)%
.AME7'ET5SER
.AME7'ET5SER
$%r*~q}uwu%x
$%r*~q}uwu%x
*~.nZ'%%x&{c!&|k'XO]y
*~.nZ'%%x&{c!&|k'XO]y
1q'
1q'
12:49:18
12:49:18
12:49:20
12:49:20
12:41:45
12:41:45
12:41:53
12:41:53
12:41:38
12:41:38
12:43:36
12:43:36
Unsupported Windows version
Unsupported Windows version
12:41:47
12:41:47
12:41:51
12:41:51
12:41:48
12:41:48
12:41:32
12:41:32
12:41:42
12:41:42
12:42:31
12:42:31
12:42:06
12:42:06
12:41:54
12:41:54
12:41:41
12:41:41
12:41:39
12:41:39
12:43:10
12:43:10
12:44:34
12:44:34
Unsupported archive type
Unsupported archive type
12:43:37
12:43:37
12:43:44
12:43:44
12:41:50
12:41:50
12:41:52
12:41:52
12:41:35
12:41:35
12:41:18
12:41:18
12:40:04
12:40:04
12:43:59
12:43:59
12:44:30
12:44:30
12:41:58
12:41:58
12:43:20
12:43:20
12:42:18
12:42:18
12:42:16
12:42:16
12:43:58
12:43:58
12:43:54
12:43:54
12:42:25
12:42:25
12:43:56
12:43:56
12:43:23
12:43:23
12:40:28
12:40:28
12:43:05
12:43:05
12:43:08
12:43:08
12:44:01
12:44:01
12:44:00
12:44:00
12:42:56
12:42:56
12:43:35
12:43:35
Unsupported Method
Unsupported Method
CRC Failed in encrypted file. Wrong password?
CRC Failed in encrypted file. Wrong password?
Data Error in encrypted file. Wrong password?
Data Error in encrypted file. Wrong password?
12:43:42
12:43:42
Can not open encrypted archive. Wrong password?
Can not open encrypted archive. Wrong password?
is not supported archive
is not supported archive
12:43:29
12:43:29
12:43:25
12:43:25
update operations are not supported for this archive
update operations are not supported for this archive
12:39:51
12:39:51
12:43:46
12:43:46
RAM %s
RAM %s
MB, # %s =
MB, # %s =
12:43:39
12:43:39
12:40:10
12:40:10
12:43:18
12:43:18
12:44:29
12:44:29
12:44:12
12:44:12
12:42:38
12:42:38
12:42:10
12:42:10
12:40:48
12:40:48
12:41:07
12:41:07
12:40:59
12:40:59
12:41:15
12:41:15
12:41:26
12:41:26
12:43:51
12:43:51
12:42:50
12:42:50
12:42:47
12:42:47
12:42:43
12:42:43
12:43:22
12:43:22
12:40:11
12:40:11
12:42:58
12:42:58
12:39:56
12:39:56
12:43:07
12:43:07
12:43:28
12:43:28
12:43:33
12:43:33
12:42:33
12:42:33
12:42:57
12:42:57
12:42:21
12:42:21
12:39:47
12:39:47
12:39:59
12:39:59
12:39:46
12:39:46
12:39:55
12:39:55
12:39:45
12:39:45
12:42:36
12:42:36
12:39:57
12:39:57
12:42:34
12:42:34
12:40:15
12:40:15
12:39:58
12:39:58
12:42:05
12:42:05
12:40:07
12:40:07
12:40:25
12:40:25
12:44:24
12:44:24
12:44:21
12:44:21
12:40:45
12:40:45
12:41:29
12:41:29
12:42:00
12:42:00
12:40:51
12:40:51
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
12:41:01
12:41:01
12:41:21
12:41:21
12:43:14
12:43:14
12:40:23
12:40:23
12:40:14
12:40:14
12:42:24
12:42:24
12:42:11
12:42:11
12:41:57
12:41:57
12:40:50
12:40:50
12:42:12
12:42:12
12:41:24
12:41:24
12:41:27
12:41:27
12:42:03
12:42:03
12:42:09
12:42:09
12:42:14
12:42:14
12:40:57
12:40:57
USER32.dll
USER32.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
RegCreateKeyW
RegCreateKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyW
RegOpenKeyW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
GDI32.dll
GDI32.dll
GetCPInfo
GetCPInfo
PeekNamedPipe
PeekNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
zcÃ
zcÃ
.?AVRegKey@@
.?AVRegKey@@
.?AVCCmdLineParser@@
.?AVCCmdLineParser@@
.?AVPipeClientServer@@
.?AVPipeClientServer@@
.?AUICryptoGetTextPassword@@
.?AUICryptoGetTextPassword@@
.?AUICryptoGetTextPassword2@@
.?AUICryptoGetTextPassword2@@
!.G.HH"
!.G.HH"
25 ! 46768
25 ! 46768
/ !!! ! 44 !!
/ !!! ! 44 !!
-, ,0($$'
-, ,0($$'
#$$()* ,-#
#$$()* ,-#
GetNowUpdater Installer
GetNowUpdater Installer
6)616@6`6
6)616@6`6
2.2`243
2.2`243
2-2[2
2-2[2
9Â9[9
9Â9[9
:!:(:/:6:
:!:(:/:6:
1&2F2e2x2
1&2F2e2x2
> >(>\>8?
> >(>\>8?
8-9}:
8-9}:
3%3U3
3%3U3
4'5&656}6
4'5&656}6
0%0U0
0%0U0
4%5U5_5
4%5U5_5
8(8,8084888
8(8,8084888
5 5$5,5@5`5
5 5$5,5@5`5
1$1,181\1|1
1$1,181\1|1
=,=8=\=|=
=,=8=\=|=
mscoree.dll
mscoree.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
2.cmd
2.cmd
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
combase.dll
combase.dll
SOFTWARE\%s
SOFTWARE\%s
HKEY_CURRENT_USER\SOFTWARE\
HKEY_CURRENT_USER\SOFTWARE\
APPKEY
APPKEY
MYEXE
MYEXE
ÞSKTOPFOLDER%
ÞSKTOPFOLDER%
%s://%s/%s
%s://%s/%s
%s\%s
%s\%s
__%d__%s
__%d__%s
https
https
v1/log/%s?AppInstanceId=%s&Bagkey=%s&TargetUid=&EventType=%d&EventCode=%d&Properties=&Data=%s
v1/log/%s?AppInstanceId=%s&Bagkey=%s&TargetUid=&EventType=%d&EventCode=%d&Properties=&Data=%s
logevent.getnow.com
logevent.getnow.com
Microsoft Windows NT %d.%d.%d %s
Microsoft Windows NT %d.%d.%d %s
Mozilla/4.0 (compatible; MSIE 7.0; Trident/5.0;) IM CustomChannel;
Mozilla/4.0 (compatible; MSIE 7.0; Trident/5.0;) IM CustomChannel;
dBAGKEY
dBAGKEY
/%s/json/RaiseInstallEventMethod/?callback=onRaiseInstallEvent&InstallFlags=%d&UserSettings=%d&BagKey=%s&AppInstanceId=%s&Version=%s&SessionCode=%d&Duration=%s&Slot=%d&OperatingSystem=%s&CDNCountryCode=%s&ErrorCode=%s&BrowserSettings=%d&DefaultBrowser=%s&MonetisationOption=%d&RefId=%s&ObjectUid=%s
/%s/json/RaiseInstallEventMethod/?callback=onRaiseInstallEvent&InstallFlags=%d&UserSettings=%d&BagKey=%s&AppInstanceId=%s&Version=%s&SessionCode=%d&Duration=%s&Slot=%d&OperatingSystem=%s&CDNCountryCode=%s&ErrorCode=%s&BrowserSettings=%d&DefaultBrowser=%s&MonetisationOption=%d&RefId=%s&ObjectUid=%s
/%s/json/RaiseInstallEventMethod/?callback=defaultRaiseInstall&InstallFlags=%d&UserSettings=%d&Bagkey=%s&AppInstanceId=%s&Version=%s&SessionCode=%d&Duration=%s&Slot=%d&OperatingSystem=%s&CDNCountryCode=%s&ErrorCode=%s&BrowserSettings=%d&DefaultBrowser=%s&MonetisationOption=%d&ClientType=%s&CommandLine=%s
/%s/json/RaiseInstallEventMethod/?callback=defaultRaiseInstall&InstallFlags=%d&UserSettings=%d&Bagkey=%s&AppInstanceId=%s&Version=%s&SessionCode=%d&Duration=%s&Slot=%d&OperatingSystem=%s&CDNCountryCode=%s&ErrorCode=%s&BrowserSettings=%d&DefaultBrowser=%s&MonetisationOption=%d&ClientType=%s&CommandLine=%s
installevent.getnow.com
installevent.getnow.com
installevent.iminent.com
installevent.iminent.com
logevent.iminent.com
logevent.iminent.com
%s%s%x
%s%s%x
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
CA_CMD
CA_CMD
ZZCMD_EXTRACT_DIR
ZZCMD_EXTRACT_DIR
REG_DEL_KEY
REG_DEL_KEY
CREATE_REG_KEY_IF_FOLDER
CREATE_REG_KEY_IF_FOLDER
CmdLine
CmdLine
ZipCmdParams
ZipCmdParams
x|%s|%s|-o%s| %s
x|%s|%s|-o%s| %s
Operation
Operation
DAEA8F.);@6AIEQ &.tGDD7@F(7DE;A@y|}~.%!w&)r$v.~;52r,|
DAEA8F.);@6AIEQ &.tGDD7@F(7DE;A@y|}~.%!w&)r$v.~;52r,|
unknown:%d.%d.%d, cv:%s, pn: %s
unknown:%d.%d.%d, cv:%s, pn: %s
Windows 10
Windows 10
Windows Vista
Windows Vista
Windows Server 2008
Windows Server 2008
Windows 7
Windows 7
Windows Server 2008 R2
Windows Server 2008 R2
Windows 8
Windows 8
Windows Server 2012
Windows Server 2012
Windows 8.1
Windows 8.1
Windows Server 2012 R2
Windows Server 2012 R2
Web Server Edition
Web Server Edition
Windows Storage Server 2003
Windows Storage Server 2003
Windows Home Server
Windows Home Server
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition
Windows Server 2003,
Windows Server 2003,
Web Edition
Web Edition
Windows XP
Windows XP
Windows 2000
Windows 2000
(build %d)
(build %d)
cmd.exe /c taskkill /f /fi "IMAGENAME eq %s" /fi "PID ne %d"
cmd.exe /c taskkill /f /fi "IMAGENAME eq %s" /fi "PID ne %d"
"%s" %s
"%s" %s
%u.%u.%u.%u
%u.%u.%u.%u
crashdump.dmp
crashdump.dmp
l.zip
l.zip
7zCon.sfx
7zCon.sfx
Mapi32.dll
Mapi32.dll
7-Zip cannot load Mapi32.dll
7-Zip cannot load Mapi32.dll
kernel32.dll
kernel32.dll
c:\%original file name%.exe
c:\%original file name%.exe
GNUBootstrapper.exe
GNUBootstrapper.exe