Summary and Payloads
When run, BonziBUDDY will appear on the desktop and says:
Hello, I'm Bonzi. I'm here to destroy your computer again. But this time, it's an actual destruction. The first thing I'll do is inject my beauty into all programs that start from now.
Shortly after, the program will change every icon in every file that holds icons possible on that Windows Installation into an image of BonziBUDDY's face. BonziBUDDY will then say:
Doesn't it look great? I would not recommend to restart your system from now, because it might be a bit unstable...
He then says:
If you wait a bit for me, I will do even more than just that. I will spam your computer with random executives, inject my code into them too and let them corrupt your computer. Your programs are my slaves from then, doesn't that sound great?
Right after, he will say:
You've got 30 seconds left until I activate the final destruction. You should look around your system, because now I'm everywhere.
Ten seconds after initially saying this, he says:
You've got 20 seconds left until I activate the final destruction.
Ten seconds after the twenty seconds mark, he says:
You've got 10 seconds left until I activate the final destruction.
Ten seconds after the ten seconds mark, he says:
Destruction of Death is now activated. My work is now done. Goodbye, Expand Dong. Just sit back and enjoy.
Similar to MEMZ, one of Leurak's previous trojans, pop-ups with the intention to annoy the user will appear on the screen, as well as play error sounds in the background. Even if the computer is restarted, this will continue once the computer reboots. Other Payloads
Leurak has mentioned that the malware has many other payloads that one may not directly notice. This malware will:
Corrupt the RAM of hooked processes
Launch random .EXE files from hooked programs with random delays
Corrupt the registry
Corrupt random .EXE files
If the user opens file explorer, its search bar will say, "succ me". It was later changed to "Bonzi was here"
It will change the username to "Expand dong".
aFXNCx 1aqv lFI`r @7X2 0XLHV j~Bl l8$o iQu9l vEDd Gn@q haAf x4.Y [mA Y \6. \Uzz qoUg Kxjr ]sbx e0#)HU8 a<'*U
swO m^^al &3DRYXH! |aSOR[dp ~gI) ufbp zxzzvjW= xnedp x[JISaeaJ &2, ,585.,9I[pn_SJB:1 +?D: %08;0 1L^haG /892 Gfrp< 8RgpfM' '25-'&+1;GS\aWJ>0 C
ilhdgWD6 %Gds~xN 8C=94.8GINZ]WW]dlqqhN- 2CR^l &20 "Ch ,Ubb\OC:205C[~ uF! GfhD .97) 6aslC $>KI9 CRI0 jQ;+ &,5993% ,>A. OQ= 2I
mqdN- (284& #4=9- 'CSN5 )AQO< 8O[C 2DNSO?% 2CLNC1 ".4440+# %040) %150% #9GH; ,>II?3% ">YjsqgYD- +28>ELOJ@1 0=?9+ 6Ohz zdG &9B=) 3Uhj]H, #=SbiicWC+ ->LRTUOG9) 9NZa`TF2 .65, 1AIF9) #'& +>LSUO>+ ",20' 7HNI8 ,EOI5 9II=( &020& ,8CJRURH8#$;Tjuwo\C+ 1=CB5! !7GLI=, )02- &032.)%! (0599984/( )17980% )7AFC:1& #*+($ %*08AGLNKH>2$ %=Tfqsl^J5 (08;<<9851) ,9AC?;988852) )2798422,& !! &-0.,)% &,142,% &4AFC;1& "#$)-00.)&&)/8CMSSI9" &,354, 0=EIHC;4+# %% $ *04541,+)'&# ',.,& (07;=94+ #,5=A>9/# "),,+& &-0,% #&+,+)# !&)& &+)% !+.,& %)& "'++)% ##$%# "#
#(+ =O7
H3 %>I3 &@I2 (CI2 *DI1 ,EI. +EH, -FG+ -GG( 0ID' 0GC& 2IC" 2IC 4IC 6JC ;I< :I: :I8 ;H5 "=H4 #>I4 %?H3 'AH3 'BG0 )BG0 *BE. *CD, ,CC+ ,CC( ,CB& .CA% -B> .B= 8B1 !9B0 #+ &;=( &;=& &;;% &:9" &:8! &98 05' 04& 14% 23 22 "22 $20 $2. (, "(-0,& 9C0 0IQO=$"Dw rf[C1 |fI S\E% d>O6 O9NU z/ < )Ieo3 J9JU9 >ZktZNf \0":WihW %Ws}uadu ))% 9[N 8+-:7.45 %N]C '18Unc@%&7>GNJP\V8 &9FMD+ &N`U9 6NP2 4NA" )Nmze8 &>JG<0 &,# # +OTC) ,=>=4,, 0GH9 U5)& 8\lzz\>6550&" >QK& CZ`U5 05G[N1 D\\I% ,74 .DOIC1 2DHKK; &18>>& '=>, )9;) )9=, '<==;-%! -><, Oe`? .IJ8 7^b< 2]U4 +1'),! CSE# 1IG9 +GTN4 /660&$ %<<$ +A9 2C>4) !!!)% ,3. =TXM2 =G@" 0DG5 %1220! +//& ?bgC 9UO>% 2CC% 6H>" !25-" !171# )/-$ 2FA- && '4<- $>H:& ";JJ1 ,+ 8KOG, )/2& +@6) &/457?SbaC 2:2# &8P^b^VOX B[[T4 w]_j~ 299! v]TOSQSI9=8' B^R@95CI= ;m~R Imh5 @ll[, 3IC $-4@NaulK 2a}i& )C<& -C[a[L:0 )CT> *fh9 9II4 ,KN9 &?W_N& 6=1 GebE D\Y1 )IS: +WcJ! BC, 4H? 2C?,! )JeiO) #LdX) &B?* 2ML+ CSJ, 4XhW4 /?C7 5KS? #'+" 7U\I! C[S0 Ff^3 6XV. I^WC 2MUC 1A: +WeK Ilq[, 5HF) "7;* #%&&)492-0,$ /9=8! +89& 'FI, 9SU8 ,9;+ 'DME0 +:2! !03+ .2# 4E># ,DF+ HUA (9 &88- 0=9/% *0* )52! +>C- 3@6% %/0& 7C>/ )20% "-35, #,2- %02.)$"&&)& $&&&$""!"&'# $--$ %19<1 " &+.1) #$ ,9>>1 #9>0 ,GOG71I 7alhZ3 &-((%$# oN>Oz "bb/ IlQ %Chzk2 znaR& 4=CGN< 8~z, ?qu\ \qcZ8 d~e, B|t7 2ea7 5azrC &YzqN )-'7G>5$ ,SpjR=% )CMI( )24' Ja0 >WTC/$! &DE) ,US) %& %%), ,OS; ,D=% 8abK6 IXI) &4?DH=' 5DJGB>4 '85- %8ENKC>9/+)# 9\cS4 8JSN@1# "@O>& ,=?=:+ *?G=0# &7=5 )/,(" -=5& +7) '2. *8=3)& !& )<@9- $% %I^O) &)'" #,0-" "-0,')+&)),42& !32& )08894 %+-- /=9,% $/,$ +4' )41& )+$ &,,& "// #15* ,;:( '*++% !%& ,/# 54( 15/ 8C8 %3=C8% &(&'(" #04- %))% '8A0 ,=>0 ,42% $+&! $"! $&%! +2. #($ %01( #,-' #%'% !(& $*( )30# &,+% .2-# '54 ('# !&)$ (*& )(& $++& &,," &+.,% *>Zjh[J4 4SP) #fmS5 >WK0 ">JC4$ 8NSI6 :8 &9Oq z^> f>Il 4Wf? '9>9I /[[>8Wpe6 %>Ufl`@ -J]N CSWOC=60& )dviH& 173-( CjzX2 %BG. 'KWXWE& 9fg6 .94,& '7G>% 7OSD- ,6DI/ &CS9 &Ssx_+ G^P& ,EN; 19( G`\: .7>5 -TfS# 69, 2K\c[9 -IUC+ -IVQC( .I]eO% (.04- &/, +GSK& #JaW- !#" )2,% )8?D9# &+$ ,554,! %=W\C 88# 0CJ?% 8AC8 07) )8EC, /2$ '/+ 02, 6UaG 16/ lP<# =LF- "#" )0* "GR> !"$0563' $/594, ,99. )0) 5IK5 'CML= #DUL2 $*1696, 3IG1" *20 +CC5 +370& )580 11 8A=( %85 +35-% "" % )>E;$ $10 0-% )1+ '99$ +96" (*% ,52# ,/, &75$ "2/ #**! ,- %,+ !--" !+=OI. "+>QdqnM 09CIJG9,+5E= 'RlulC *=9& ilaP2 !/0421, ! BkhWI9 2PevkI $8F0 &Zm`J4,' ufJ2,, /HYWTL3 7MTjunS* Ci{h6 ,IfqaC 4ND) 8CFOG933( :CC3 2ECCEG7 ,9CVaH %($&9KQG2 ,MbnhO =V_]XB "?WeaG* CNC1 ,BMI9 &+8JSG/ 2W`> 8OPF90% $>C' 8kgI, 4MI0#3J`aE EVK* *;822- &Oc^N>889- )4;CG@, %21" !(5IWC &anS( 8WfU' 5[aN2*:MJ8% -HSI) 89 (5B5 (+-9JN>& )8=2 ,?= !% -95$ 2C0 1CB7( &:5& #2?=& $*)" -JZP2 -2& .4-# /<>4# +) &0 $,) 7OO<* 0KJ+ %9B5" " && %.%%% ,6;D@+ &4;- )+ .;A4& ,9( )22, !+# ,40& GU9 78 "(" &98% &0# &51! %LP8 +-,) )8;, 05/$ &94 $+,.' )PS3 ).-(+& !%&" ",." #,& ,>>& #,+# &%& ,81 % # !%#+1! 0) &, 24 02, 47, 40 *" .' 00 3>* +& ,2$ *0" )) );/ *5) +3" %-- &/# &2& &+ !%& "'1>FG?1 Y3&5O^S8 ;YjgM #6Olzl@ f!*>' Cad`d ><1_ ~yrM 39OcW9 9hrK$ )9JJE8 7=EC51, ,>GOXK=6& 7<8>C, 6,&,' -9-,2" &12) )C2 !J[WC' 0>JH2 6T^G ,59* ,9E?2' @\U?$ %))12& &?>- %#"#&( A]dO, IlxlG .50&.78/" 2IPC, 5ISTF2 /KWI, 4975) 1Wqc< $5C>- ,@H>, *+.6?IK=& "9=>CCC2 *UusU% 4HC2" ,NYN, 2IRUP2 0JM9 &)%(0! 1?G; &>?) 5SV9 +=?, ,<1 -KO=& &7=. '1. )A>, &59- !+;D=, %0,' 5A9& '2,# />=+ 1=4$ ,DKA5* (CD3 +=A>, #&18:5$ 0>=2# )=@4 ,2/( $-," &61 !.;9 ,,# !*,22$ 7QS9 !+,2AI9 #194& %58- , '42-' !1/ &+& *)&! ,594 #34, +96 %# &&&(" &((& 45$ 0. ,. &)&%'+) )/100-,! (1796+ #3853/! +$Gz O1(<[eWC* JNCSu a3& r8+Jfe? }RFA) Naksf9 4drR (.,0G \3 2f sNI\WEl BJI[z uzn% %&8{ gC91 &CQ& >h^& UwW(0 ]0 d 5Pn~A 9tr, WfV: \=% GZ[G 2_Z?+ 9E?4 Ep\+ Suzd7 ,>7+ %070 /;EW`E CSI5 &RaE &HMG>4) (8CB0 &LYM5 ,96 9YW@ %7C8 #TxwW 0[jaL0 APF- $[na> 7IC) %GaaH B`l_; CEC;0 &/,2@LTW[\I 1>=1 ,N^Q/ "Utu\4 0Sa[I4 7Scd`W> %.5;91& $+, =bxrQ .=D@, +Sq{r[@% )0,% 5@6 ,?C1 7d~rE ?^jZ5 (3+"*4<>5& &241+! $%" (174& &CSSI9% +CSWL6 5L[ZG& &260&#&7C<.! &54 &OI, 4Wg_E& 5GIF5 $Caqf> +Of[: 2;=?9 }fL5& .2, #,0, 3CE. )Mfp^5 ,TfaM0 $,,+,& $&&+0,! 064) ,9A;, #1:>:/ 7FJE8% /BJH9' 0GTN6 "7C3 {^>& &*,0564, &88' &>NK= $5BC9" )DTQ=! #./' "Wrta> #)-0+ $./& 1CJC/ &=G9 ,JWTC+ +9>5& "()&%" ,^zza/ >SXSB+ "&,.+! ,4/" 195' 2@FC3 McaN1 &/474+ +8><. %QlnZ5 9JOI9' )/,$ *0.! !-32+ 5U^Q5 +451+% &(+,& !,1& AW`S5 $:EC8% !&&% #+0, '/0+ )0/& )+& !*,% *>GC9% /870' &)($ '10 &)(! 1;4% '24, !,/' %+.) !+0.& 196, &,+% #+.+ %03-& "%" $'" #+29;2 9[eaO5 *5=>;2% #%# %% )8MJSOJE@GDGHL^dnonjate^YGF! :A5+ 2GEDZ\ehbYIEO^ g6+G #15/1/EQL[XXPPWMK>:& /;RUgq |yhF "@Uad /Rm{ jS=+ );GXt vojSC) 0DLPG=;004>JORO]]bnhibdbi| yomklr| }rnsmfhSMYdrwnh_PGLTX[[O>+ '&&)%# &:P\O= 8LRG:)&&7IV`XLBGMYeo} }pidnv} }tvvv|~ypfegp ABB@DACDABCBECBDABBCDCAA@BCCBB@BEBAABDC@BACB@@CLNNO^iw we]ZXWTORcnkkh`WM=4/&3405:@DNW\_]flrlefjbWKC8/)16HMU^QMKI4# 7IRgzu_D/ f0Iv '`m1,ld. Gv{|}) 7?7- 0=3 2J\z rR4FkjFq y80>3/J@;Z vw[75Af #TWLYc{f ))A, !*Vihs}pqpT;@PX\dv utly| pe`UNQ@Ox {jdOGWd^[\^h} q`PKH;$ +=@I[dYD:8/ &2@?9, /24.-% 1Neqv`@ -=BRgjP4# #!*)"!,/29Lcps |uiVQM;' $3G^flig_K+ .G[hkoskT9 .Jby z[I;./;C@DTa]E2" *.22" !-0,--(( !*?FB=;;3( -28?J\faZX[\][NB8//8BBAA@CB?CEDEEDACCDCDBDACFDDEECA?BBBCB@@BCC>=:ADDDDA>@@BB?B@>@BA@==<><=@A>;;>>@?BB>@BBAFDABABEBBABABBBECCCBDEHDECA@DFFDEFEHHIJGHFGFFFFHHIGFFIHHFGFGHFHHFFIJIFHGIGHHKKHFIIHGGGFFGGGGIEGIHJJLJKJKLIKJHIIIJKKKJGHIJJIHJIJIJIGGHGEFEFGGGDGGFFFCCBEGFECFFGECBEDDBBDEEBAACEEEEDDDEFFDDCDDCDFECCBDEDHDACBEDFDCDFDFG: 2BWr whP61557AVh~ yjZK?;:?@@ABDEGHHHIJJJLMLLMKLLJIIIFDDC>=<:7531//.,+++++++,--..../00/00//0/../...-++,+(''&%&%#"! /.-,,*''%#! "&),/2457::::998631.*(%" "%(*-/13677799:::999888899999:;:;;<<;:98642.+'$! '5:@JPSZZWXTRRKF<4/+# ))(//2578=57=4322-*&$&" "5DKZ_`^aelgnoe_^cdjh_VLK56A1%#% !/$' &38=HL>.7>CA.'%"!'% &,&!#&/0449CGHEMUYONLNXVWa_UOP?3%.3/..2.27799CKTbhb]TVbbfiiicxzsYSUH:8>;( %14M\RO__SYVJD<, ,:;HSP_]_oedP;8JPLNF51%! &FWm xL6* B]Z`^gzwql^I0 :::Vi_alvutyzgeWIFDD8,04* (=ESY]hjur zlnjhffe_RHI6/'((+2BC2�) '3ISZeZRJE22" fQ4 7D(?S\OSF=Jcljd`SK. %^FBBA_cj S,9:( 1HCLSP 4?3'* HUa. kNq_ f+m| Uo:" [MUA !}l% ]&D'Q@rR #uT'8_ vC&k iY>M #GH~ DGI, @/80D6+_lI'] 16uiJ #B?]Pk mL\| z#0yg{ >^B/ ,+5K BN*$ EV]dX@ B7BG7)/ 8 #m{KKaj?I]OI9Un^*(828 809* 08I& 25",J# 1B..RC )>=Ik6#IOVO>\`LTWL,.B[)#<41 />K# Y/LZ^?=NTTJ^^VG;XJ' -1 BJ4BjA6?70C8 2_> *!#.1/BOA2=539JW8 (E3(&BC5% %9A>;;7Q^NDEdN<>]fM.7ET:-.;533! '!0 *"9F,*84$ '+(830&1?DA=939<88?Yq /122 DeX:3( ) 1EGCBA5$ +=FGPUJ7 ,-@O_aI:9@@:/." *8?[jhQ+ $0;DW]OMH><9-! -;KPE>>450 $>NSKC7//$ )AHT[^k< =9&: %8?3 $(1) "**.2---" #%(/=BHJD92/.+02:FOH6,(&" 066/0261*( #(&$%&*287698-& (-/' !)* '-.3441/*#! %)+*)& $)+,.+" '09:;<91$ %)'$#$%%$ #()++()+*.6:95:>;0% &;Ng "Fp kHCHGJYt saZZ]j |yvvyxwyz{} }zwtqmjhfc`^\[ZURPMKHGD@><;85441/.-,,+*)(('&%#"! Decline Idle1_9 Explain Idle1_1 Alert Confused Congratulate DontRecognize Acknowledge GestureDown GestureLeft GestureRight GestureUp GetAttention2 Greet Idle3_1 LookDown Reading Searching Surprised Uncertain Wave WriteReturn RestPose LookLeft LookRight Think Idle1_3 Idle1_5 Idle1_6 GetAttention Idle1_24 LookDownReturn LookLeftReturn LookRightReturn LookUp LookUpReturn StartListening StopListening SunglassesReturn SunglassesContinued Idle3_2 Idle1_7 Idle1_11 Idle1_13 Search BlowKiss Blink Idle1_14 Read {5 items "encoding":"UTF8" "apiref":[1 item 0:{2 items "name":"read" "module":"msvcrt.dll" } ] "offset":5237922 "reason":[1 item 0: "API_REFERENCE" ] "section":".rsrc" } ReadReturn ReadContinued WriteContinued ReadLookUp ReadLookUpContinued SearchingReturn ReadLookUpReturn WritePre WriteOnce WriteOnceAgain WritePause Write Writing WritingReturn MailCheckEmpty MailCheckFull MailReturn MailRead MailNext DoMagic1 DoMagic2 GetAttentionContinued GetAttentionReturn Hearing1 Hearing2 Hearing3 Idle3_3 LookDownBlink LookDownLeft LookDownLeftBlink LookDownLeftReturn LookDownRight LookDownRightBlink LookDownRightReturn LookLeftBlink LookRightBlink LookUpBlink LookUpLeft LookUpLeftBlink LookUpLeftReturn LookUpRight LookUpRightBlink LookUpRightReturn Process {6 items "encoding":"UTF8" "apiref":[1 item 0:{2 items "name":"Process" "module":"" } ] "hints":[1 item 0:{1 item "hint":"Utility" } ] "offset":5239616 "reason":[1 item 0: "API_REFERENCE" ] "section":".rsrc" } Processing Suggest Thinking HeadphonesContinued HeadphonesReturn Banana MailCheck Scout ScoutLeft ScoutRight Butternut Juggle Explain2 Explain3 Idle1_8 HandsBehind Idle1_15 Idle1_4 Wink Giggle BananaMiss Idle1_25 Idle1_12 PleasedHard Pleased Idle1_4 (2) Idle1_5 (2) Idle1_26 Explain4 Shoosh Unbelievable Show Hide MoveDown MoveDownReturn MoveLeft MoveLeftReturn MoveRight MoveRightReturn MoveUp MoveUpReturn HideShow PleasedSoft Idle1_21 Idle1_1 (2) Idle1_1 (3) Idle1_9 (2) Idle1_9 (3) ScoutAlert ScoutReturn Business MS Sans Serif od0p6 ADMQCMD CABINET EXTRACTOPT FILESIZES FINISHMSG LICENSE PACKINSTSPACE POSTRUNPROGRAM REBOOT RUNPROGRAM SHOWWINDOW TITLE UPROMPT USRQCMD License MS Shell Dlg Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. Do you accept all of the terms of the preceding License Agreement? If you choose No, Install will close. To install you must accept this agreement. &Yes Temporary folder MS Shell Dlg Please type the location where you want to place the extracted files. &Browse... Cancel Overwrite file MS Shell Dlg Do you want to overwrite the file: &Yes Yes To &All Extract {6 items "encoding":"UTF8" "apiref":[1 item 0:{3 items "name":"Extract" "module":"cabinet.dll" "ordinal":3 } ] "hints":[1 item 0:{1 item "hint":"Utility" } ] "offset":5318482 "reason":[1 item 0: "API_REFERENCE" ] "section":".rsrc" } MS Shell Dlg &Cancel Extracting Initializing... Please wait... msctls_progress32 {4 items "encoding":"UTF8" "offset":5318750 "reason":[1 item 0: "INTERNAL" ] "section":".rsrc" } Generic1 SysAnimate32 User1 Extract {6 items "encoding":"UTF8" "apiref":[1 item 0:{3 items "name":"Extract" "module":"cabinet.dll" "ordinal":3 } ] "hints":[1 item 0:{1 item "hint":"Utility" } ] "offset":5318890 "reason":[1 item 0: "API_REFERENCE" ] "section":".rsrc" } MS Shell Dlg &Cancel Extracting Initializing... Please wait... Warning MS Shell Dlg E&xit &Continue Do you want to continue? 4Please select a folder to store the extracted files. DEBUG: <%s> <%s> CFailed to get disk space information from: %s. System Message: %s.&A required resource cannot be located. Are you sure you want to cancel? 8Unable to retrieve operating system version information.!Memory allocation request failed. Unable to register window class."Failed to create requested window.#Unable to create extraction thread.3No valid folder can be located for extracted files. Cabinet is not valid. Filetable full.%Can not change to destination folder. Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel. !Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog. Installation failed.(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation. Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install {5 items "encoding":"UTF8" "offset":5321912 "reason":[1 item 0: "SIGNAL" ] "section":".rsrc" "triggeredConsumerIDs":[1 item 0: "S051" ] } Could not create folder '%s' To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue. Do you still want to continue? Error retrieving Windows folder $NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) . System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application. &FDI Extraction completed successfully. Cabinet file not found. Cabinet is not formed properly. VCabinet data is corrupt. This executable is damaged and installation is not possible. FDI memory allocation failure.#FDI compression type not supported. FDI decompression failure."Unable to create a requested file. Cabinet reserve size mismatch. Wrong cabinet file. FDI user canceled or halted.;Command line option syntax error. Type Command /? for Help. Command line options: /Q -- Quiet modes for package, /T: -- Specifies temporary working folder, /C -- Extract files only to the folder when used also with /T. /C: -- Override Install Command defined by author. sYou must restart your computer before the new settings will take effect. Do you want to restart your computer now?sYou must restart your computer before the new settings will take effect. Do you want to restart your computer now?eAnother copy of the '%s' package is already running on your system. Do you want to run another copy? You do not have administrator privileges on this machine. Some installations cannot be completed correctly unless they are run by an administrator.uThere is not enough free space in the Windows temp folder or in the current folder. Please enter a new folder below.6The setup program is preparing to run. Please wait...:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system. VS_VERSION_INFO StringFileInfo 040904B0 CompanyName Microsoft Corporation FileDescription Win32 Cabinet Self-Extractor FileVersion 4.71.1015.0 InternalName Wextract LegalCopyright Copyright (C) Microsoft Corp. 1995 OriginalFilename WEXTRACT.EXE ProductName Microsoft(R) Windows NT(R) Operating System ProductVersion 4.71.1015.0 VarFileInfo Translation <<> ADMQCMD CABINET EXTRACTOPT FILESIZES FINISHMSG LICENSE PACKINSTSPACE POSTRUNPROGRAM REBOOT RUNPROGRAM SHOWWINDOW TITLE UPROMPT USRQCMD License MS Shell Dlg Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. Do you accept all of the terms of the preceding License Agreement? If you choose No, Install will close. To install you must accept this agreement. &Yes Temporary folder MS Shell Dlg Please type the location where you want to place the extracted files. &Browse... Cancel Overwrite file MS Shell Dlg Do you want to overwrite the file: &Yes Yes To &All Extract {6 items "encoding":"UTF8" "apiref":[1 item 0:{3 items "name":"Extract" "module":"cabinet.dll" "ordinal":3 } ] "hints":[1 item 0:{1 item "hint":"Utility" } ] "offset":5719018 "reason":[1 item 0: "API_REFERENCE" ] "section":".rsrc" } MS Shell Dlg &Cancel Extracting Initializing... Please wait... msctls_progress32 {4 items "encoding":"UTF8" "offset":5719286 "reason":[1 item 0: "INTERNAL" ] "section":".rsrc" } Generic1 SysAnimate32 User1 Extract {6 items "encoding":"UTF8" "apiref":[1 item 0:{3 items "name":"Extract" "module":"cabinet.dll" "ordinal":3 } ] "hints":[1 item 0:{1 item "hint":"Utility" } ] "offset":5719426 "reason":[1 item 0: "API_REFERENCE" ] "section":".rsrc" } MS Shell Dlg &Cancel Extracting Initializing... Please wait... Warning MS Shell Dlg E&xit &Continue Do you want to continue? 4Please select a folder to store the extracted files. DEBUG: <%s> <%s> CFailed to get disk space information from: %s. System Message: %s.&A required resource cannot be located. Are you sure you want to cancel? 8Unable to retrieve operating system version information.!Memory allocation request failed. Unable to register window class."Failed to create requested window.#Unable to create extraction thread.3No valid folder can be located for extracted files. Cabinet is not valid. Filetable full.%Can not change to destination folder. Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel. !Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog. Installation failed.(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation. Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install {5 items "encoding":"UTF8" "offset":5722448 "reason":[1 item 0: "SIGNAL" ] "section":".rsrc" "triggeredConsumerIDs":[1 item 0: "S051" ] } Could not create folder '%s' To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue. Do you still want to continue? Error retrieving Windows folder $NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) . System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application. &FDI Extraction completed successfully. Cabinet file not found. Cabinet is not formed properly. VCabinet data is corrupt. This executable is damaged and installation is not possible. FDI memory allocation failure.#FDI compression type not supported. FDI decompression failure."Unable to create a requested file. Cabinet reserve size mismatch. Wrong cabinet file. FDI user canceled or halted.;Command line option syntax error. Type Command /? for Help. Command line options: /Q -- Quiet modes for package, /T: -- Specifies temporary working folder, /C -- Extract files only to the folder when used also with /T. /C: -- Override Install Command defined by author. sYou must restart your computer before the new settings will take effect. Do you want to restart your computer now?sYou must restart your computer before the new settings will take effect. Do you want to restart your computer now?eAnother copy of the '%s' package is already running on your system. Do you want to run another copy? You do not have administrator privileges on this machine. Some installations cannot be completed correctly unless they are run by an administrator.uThere is not enough free space in the Windows temp folder or in the current folder. Please enter a new folder below.6The setup program is preparing to run. Please wait...:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system. VS_VERSION_INFO StringFileInfo 040904B0 CompanyName Microsoft Corporation FileDescription Win32 Cabinet Self-Extractor FileVersion 4.71.1015.0 InternalName Wextract LegalCopyright Copyright (C) Microsoft Corp. 1995 OriginalFilename WEXTRACT.EXE ProductName Microsoft(R) Windows NT(R) Operating System ProductVersion 4.71.1015.0 VarFileInfo Translation <<> jjjj jjjj WBONZI Bonzi Rulez Hello, Expand Dong {5 items "encoding":"UTF8" "offset":6689176 "reason":[1 item 0: "SIGNAL" ] "section":".rsrc" "triggeredConsumerIDs":[2 items 0: "S051" 1: "S007" ] } Bonzai Buhdy WSucc Me Bonzi was here Extracted Files Files embedded into content of scanned file. 709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331 suspicious application/x-msdownload; format=pe32 peexe Overview Origin: Input file Size: 997.30 kB Type: application/x-msdownload; format=pe32 Hashes MD5: 3f8f18c9c732151dcdd8e1d8fe655896 SHA1: 222cc49201aa06313d4d35a62c5d494af49d1a56 SHA256: 709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331 SHA512: 398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7 3b95a595930b25f07a641a1544ee975c957877fa1694f81053e0725cfd8125b8 suspicious application/x-msdownload; format=pe32 peexe Overview Origin: Input file Size: 992.50 kB Type: application/x-msdownload; format=pe32 Hashes MD5: 4f7ba052075874866146e03aae6068bc SHA1: e3fedbe5b1db79c32c5c608b261db645c3816d7e SHA256: 3b95a595930b25f07a641a1544ee975c957877fa1694f81053e0725cfd8125b8 SHA512: e9944a979eee3027d276d25d3c235993d4a2884a3f7f43dd8dfe7ef620db8b07991313fd47e17058807ae4e2b2ba396bcfa1acbcbb408217b6cf9665d00e29a1 16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa suspicious application/x-msdownload; format=pe32 peexe Overview Origin: Input file Size: 391.15 kB Type: application/x-msdownload; format=pe32 Hashes MD5: 66996a076065ebdcdac85ff9637ceae0 SHA1: 4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce SHA256: 16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa SHA512: e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c 2425f956953268a5cef89045b4eb88c5e9a6a7df37ea96794a140125cb9277c9 suspicious application/x-msdownload; format=pe32 peexe Overview Origin: Input file Size: 384.50 kB Type: application/x-msdownload; format=pe32 Hashes MD5: a4e8b04982c039d228bd6929b8ed3527 SHA1: 215ccc6030740fc38ae71dd66476e0d20d27e0c3 SHA256: 2425f956953268a5cef89045b4eb88c5e9a6a7df37ea96794a140125cb9277c9 SHA512: 1ccf18fb6ae86cb8430c0090439360f9b294235dd757585a00279f0cf4d227d02998144c37efa9b948e04eb0bfb71297b7ee42eef519f5d3017407b8c0b3ef77 268f270798c015723daf6735222b5d31f388c110759ceff5d0c97746c2bb531c suspicious application/x-msdownload; format=pe peexe Overview Origin: Input file Size: 19.48 kB Type: application/x-msdownload; format=pe Hashes MD5: 3484897800a6fca4f200e7c8cfdd9cff SHA1: b1f80d02edc9c6e7dbefed19e5d67b92470845d2 SHA256: 268f270798c015723daf6735222b5d31f388c110759ceff5d0c97746c2bb531c SHA512: 1b984d38594069c687c337af95c8596523d3beee0f9bd9c4d761ea64f260a128795771fcdc7f9ea22c1a51d49b275707ad298429361cba91ced2c2ef33bbec1d fab2f350fadc87c2d4e3f826e0d5b237a2e07be768104a19bcdf32f77ff360ba suspicious application/x-msdownload; format=pe peexe Overview Origin: Input file Size: 15.00 kB Type: application/x-msdownload; format=pe Hashes MD5: 999225434cdbb7bd18f35a1cc588aae7 SHA1: 0c66f98e346337c779fecd911fbf3b894c335f8b SHA256: fab2f350fadc87c2d4e3f826e0d5b237a2e07be768104a19bcdf32f77ff360ba SHA512: 55232a390a1e1152071658dccbf1bee283c13d9e77f34c0b1e5e8960fde9c92487898c75ce97e6fac76ab6b520dfead36e4ddc81f8b26717c452e97f623ff8e7 e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793 text/plain txt Overview Origin: Input file Size: 161.00 B Type: text/plain Hashes MD5: ea7df060b402326b4305241f21f39736 SHA1: 7d58fb4c58e0edb2ddceef4d21581ff9d512fdc2 SHA256: e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793 SHA512: 3147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0 7b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7 text/plain txt Overview Origin: Input file Size: 46.00 B Type: text/plain Hashes MD5: f80e36cd406022944558d8a099db0fa7 SHA1: fd7e93ca529ed760ff86278fbfa5ba0496e581ce SHA256: 7b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7 SHA512: 436e711ede85a02cd87ea312652ddbf927cf8df776448326b1e974d0a3719a9535952f4d3cc0d3cd4e3551b57231d7e916f317b119ab670e5f47284a90ab59a2 f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95 application/octet-stream Overview Origin: Input file Size: 5.01 MB Type: application/octet-stream Hashes MD5: 1fd2907e2c74c9a908e2af5f948006b5 SHA1: a390e9133bfd0d55ffda07d4714af538b6d50d3d SHA256: f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95 SHA512: 8eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171 cefe11913a2b0c649534ae25284b14f5b002b8c0086c9de037f2ef986b3960ee application/octet-stream Overview Origin: Input file Size: 2.16 kB Type: application/octet-stream Hashes MD5: 282b5dcca729d42a7164feaeec7f568e SHA1: 42749dbc75320be2bb25c4fd84cb78993c619cd0 SHA256: cefe11913a2b0c649534ae25284b14f5b002b8c0086c9de037f2ef986b3960ee SHA512: 95d1f2600b0bb3c99b5467f01ae54fe76520785faa2289e22dd371073e808f109d13ffaadc51391f16e54b8c0e56ce38dffb345c989431cff9fc81b0ca21d83f 207028b60b594184d0d5b7557f0fdb14b04136224b1d96125faf895270be53b0 application/octet-stream Overview Origin: Input file Size: 1.35 kB Type: application/octet-stream Hashes MD5: 8594ce5055f13c77b701f4689eb3fa74 SHA1: b4910b75826974b30adf40bcd6e68e8286014910 SHA256: 207028b60b594184d0d5b7557f0fdb14b04136224b1d96125faf895270be53b0 SHA512: 97564fcbfc7b857ca9851118c0531319bd9adfa345730c7b26bb5313fa5c7561591cba1fb17736ac86d574ca86f84a5b76da972d6caade831a81ad51150efda8 165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8 application/xml Overview Origin: Input file Size: 392.00 B Type: application/xml Hashes MD5: b8e76ddb52d0eb41e972599ff3ca431b SHA1: fc12d7ad112ddabfcd8f82f290d84e637a4d62f8 SHA256: 165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8 SHA512: 739cb69dec197879f4c7af76af86273a170d7834495ca9d35825f64f35290e6625eab67f404b7353edb340c2187f62976cb42ceb9a0c119deaee81a2143ffade d58a6a1ee3d9ae7bb5bb4b019a84495af9b55381f295dc7beeaf222d58bd4c36 image/vnd.microsoft.icon Overview Origin: Input file Size: 34.00 B Type: image/vnd.microsoft.icon Hashes MD5: 98abddcf0c1dc29c999864264b78c981 SHA1: 848c0e5121dad30e7b7381e85ddfeea5672366e7 SHA256: d58a6a1ee3d9ae7bb5bb4b019a84495af9b55381f295dc7beeaf222d58bd4c36 SHA512: 23ce2da1c3bc96b5634f77d3048b41b5839d7e2737db35126d088087dc9cc90c427dcf269f4536431aec1ea9c9112afc8f02afeabd05747b32c4b42e03064f24 Open Source Intelligence Lookups The input SHA-256 and other selected IOCs are checked against online reputation services for threat detection. Providers: VirusTotal (VT), ClamAv (Clam) Malicious SHA256 d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e malicious(76.8%) VT Item details Resource: d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e Type: SHA-256 Origin: Input file Provider: VirusTotal Verdict: malicious Provider data Scan ID: d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e-1645233534 Scan date: 2022-02-19 01:18:54 SHA1: bd4c956186f33c92eb4469f7e5675510d0790e99 MD5: 9c352d2ce0c0bdc40c72f52ce3480577 Permalink: Go to provider report Verbose message: Scan finished, information embedded Scans total: 53/69 Service Detected Version Result Update ALYac true 1.1.3.1 Gen:Variant.Doina.11462 20220219 APEX true 6.261 Malicious 20220216 AVG true 21.1.5827.0 Win32:Malware-gen 20220218 Acronis false 1.1.1.82 - 20210512 Ad-Aware true 3.0.21.193 Gen:Variant.Doina.11462 20220218 AhnLab-V3 true 3.21.2.10258 Malware/Win32.Generic.C3036831 20220218 Alibaba true 0.3.0.5 TrojanDropper:Win32/Tiggre.85b14ef6 20190527 Antiy-AVL true 3.0.0.1 Trojan/Generic.ASMalwS.2AAD49F 20220218 Arcabit true 1.0.0.889 Trojan.Doina.D2CC6 20220218 Avast true 21.1.5827.0 Win32:Malware-gen 20220218 Avira true 8.3.3.12 TR/Spy.Gen 20220218 Baidu false 1.0.0.2 - 20190318 BitDefender true 7.2 Gen:Variant.Doina.11462 20220218 BitDefenderTheta true 7.2.37796.0 Gen:NN.ZedlaF.34232.au4@auysCkci 20220217 Bkav true 1.3.0.9899 W32.AIDetect.malware2 20220218 CAT-QuickHeal false 14.00 - 20220218 CMC false 2.10.2019.1 - 20211026 ClamAV false 0.104.2.0 - 20220218 Comodo true 34366 Malware@#36had1isn4ifv 20220218 CrowdStrike true 1.0 win/malicious_confidence_100% (W) 20210907 Cybereason true 1.2.449 malicious.ce0c0b 20210330 Cylance true 2.3.1.101 Unsafe 20220219 Cynet true 4.0.0.27 Malicious (score: 100) 20220218 Cyren false 6.5.1.2 - 20220218 DrWeb true 7.0.52.8270 Trojan.KillProc2.5661 20220218 ESET-NOD32 true 24812 a variant of Win32/Agent.AANJ 20220218 Elastic true 4.0.33 malicious (high confidence) 20220211 Emsisoft true 2021.5.0.7597 Gen:Variant.Doina.11462 (B) 20220218 F-Secure true 12.0.86.52 Trojan.TR/Spy.Gen 20220218 FireEye true 32.44.1.0 Generic.mg.9c352d2ce0c0bdc4 20220218 Fortinet true 6.2.142.0 W32/Agent.BJYELD!tr 20220218 GData true A:25.32339B:27.26387 Gen:Variant.Doina.11462 20220218 Gridinsoft true 1.0.74.174 Ransom.Win32.Occamy.oa!s1 20220218 Ikarus true 0.1.5.2 Trojan-Spy.Agent 20220218 Jiangmin false 16.0.100 - 20220218 K7AntiVirus true 11.248.40894 Trojan ( 005712e01 ) 20220218 K7GW true 11.248.40897 Trojan ( 005712e01 ) 20220218 Kaspersky true 21.0.1.45 Trojan-Dropper.Win32.Agent.bjyeld 20220218 Kingsoft false 2017.9.26.565 - 20220219 Lionic true 4.2 Trojan.Win32.Agent.b!c 20220218 MAX false 2019.9.16.1 - 20220219 Malwarebytes true 4.2.2.27 Malware.AI.4218787204 20220218 MaxSecure true 1.0.0.1 Trojan.Malware.1728101.susgen 20220218 McAfee true 6.0.6.653 GenericRXAA-AA!9C352D2CE0C0 20220218 MicroWorld-eScan true 14.0.409.0 Gen:Variant.Doina.11462 20220218 Microsoft true 1.1.18900.3 Trojan:Win32/Tiggre!rfn 20220218 NANO-Antivirus true 1.0.146.25561 Trojan.Win32.KillProc2.fxmafv 20220218 Paloalto true 1.0 generic.ml 20220219 Panda true 4.6.4.2 Trj/CI.A 20220218 Rising true 25.0.0.27 Dropper.Agent!8.2F (CLOUD) 20220218 SUPERAntiSpyware false 5.6.0.1032 - 20220212 Sangfor true 2.9.0.0 Trojan.Win32.Agent.bjyeld 20211224 SentinelOne false 7.2.0.1 - 20220201 Sophos true 1.4.1.0 Generic ML PUA (PUA) 20220218 Symantec true 1.16.0.0 ML.Attribute.HighConfidence 20220218 TACHYON false 2022-02-18.02 - 20220218 Tencent true 1.0.0.1 Malware.Win32.Gencirc.116bc955 20220219 TrendMicro true 11.0.0.1006 TROJ_GEN.R002C0DF221 20220218 TrendMicro-HouseCall true 10.0.0.1040 TROJ_GEN.R002C0DF221 20220218 VBA32 true 5.0.0 TrojanDropper.Agent 20220218 VIPRE true 98492 Trojan.Win32.Generic!BT 20220119 ViRobot true 2014.3.20.0 Trojan.Win32.Z.Agent.6702080 20220218 VirIT false 9.5.137 - 20220218 Webroot true 1.0.0.403 W32.Malware.Gen 20220219 Yandex true 5.5.2.24 Trojan.GenAsa!10hNUrCWp5o 20220218 Zillya true 2.0.0.4571 Dropper.Agent.Win32.388010 20220218 ZoneAlarm false 1.0 - 20220218 Zoner false 2.2.2.0 - 20220218 eGambit false - 20220219 Unknown SHA256 d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e unknown Clam Item details Resource: d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e Type: SHA-256 Origin: Input file Provider: ClamAv Verdict: unknown Provider data Engine version: 0.103.5 Is malicious: false Known viruses: 8607029, 35J0 % %H. mq; J>J& =dH& QI;5 !00JS 1qU !5>[5 WfjN +lkX UR]H lu;5Uz =J! W
Ius> a0<=& aC&-Oc\I3 U4+ )SoQ RTUZ0 +LCRskl &h~q]C% "CH& %Ogidf[4 6ROLH. 5:GC 1;92 8]d, 2@C>) Nkvs\8 2OW9 JllaO &9I?# LdljO- SjdVB& (LaS< +AB5" B\nuiI '=@\za4 %TqwsZ B995)% >WmrbB )Njx 4G[W9 0O_W5 -><4 Nu}f9 3jvaC GZF (96 :RQ9 CYW: .KabN+ -g~u\0 ;OS@ &/$ 5FOF# %,.& &CaleXJ1 -BI>) +XmdG LhuuldT: )=IG5 2CONF8% 2asylT2 1=CC9-%%+05=>:, )@SaaO1 9cqqfL5,0>Saf[; )+.31( .>QZSE1 ",0+ );@>9, 4CE8 .;952250# &CRI 9WaU= 05, A]f[9 9YbX= @ajW- @UW@ (43& .<=2 %ARWS> 3FNJ<$ %@UXI1 5SaaT9 +:A9% .993" ;YidO1 5GNLD8& -BSUOI5 +BQSL;! 1OfriQ4 &Gah_J0 +H^mwrbO0 >SdgaR6 0GRM9 4EIC0 () 2>C9% %:ILA, +78. +0.' )NhqfJ IdlfN+ (>KI>2& 9GOH8% &11& $13, 5JNC- 4CI@& &&&# #095( 2>>8, '13,! "=OUO>' 2@B5$ 0DPRI7 8=6 )29>@;3& +AOSL;% +;CC;, %.21( ,9>=1 #,00& #(&" /:=5# =S\UC& &+,( %! &.1,! %,0-& #()& &,,( %&% &&# &,0,% ##$#! " %# "#"! #%#! #%%&&! $$ """"! #" %'&" %&&! &&% "&&# "&&" %)& )-- +00*" &.21+ 01.& &030 #.43-# +23.& )01/( ,12-& "-32,# &02.& ,21," ,00* %,,' &(% 120020202201012121111112021100122001000111102020021211111220021111111022002022132022222234424434323423423442242221322212032123221222212212212233222328)7b h N I #m ,x l!$k 3}w: 3zq4 +} 8{o0 - <|h- 0 A|g) 6 Cze& Fx^" 9k= cg7 #r ac2 #u +. "5$ h2 %5$ '4 4q~[& 8r|W! 8rzT ;qxP <rvN ruJ @ssI DrqG HspD IunB Jtk> Nsi= $80 Prf9 Qrd8 Rqa4 Sq^3 Uq\1 Wp[0 YqY/ [oZ/ \pV, %^nT+ 8A& '
lR* 9C$ (_kN& ;? )^fI )[dE +\aC ,_? /[]= 0[; 2[: 6\Z8 +?8 8[W5 8[U2 :ZQ0 :XO- =ZN- =XM+ ?ZL+ AXI* 8E2 CYI) !;G0 DWG& %<G. FXE& &>H- HWC& )AJ- IWB$ CI+ IU>! +CI IU> +CH( IS; ,EF$ ,DD GI/ "HH- &IG/ )IG, +IF+ ,IC) ,HA& ,D=" 9H8 +C8 9G4 ;G3 "=G2 #=H0 %?F/ &@I, &BG+ 2<+ *CH+ ,EI+ .HI( 0HG& 0HF% 2IG$ 4JE# 6LH! 9NH :OE =OD !=OC =NC