Analysis Date2014-12-15 15:59:04
MD50868dfb8a6bcedb30c8d125e47e9afd2
SHA1823b469eff1e7f02fa5d9f213598fa83266a8e78

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash145e623aa299dbbff35de58bda2996f24f96eb73
IMPhash
AV360 SafeTrojan.Obfus.3.Gen
AVAd-AwareTrojan.Obfus.3.Gen
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.Obfus.3.Gen
AVAuthentiumW32/S-7136ec3b!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardTrojan.Obfus.3.Gen
AVCA (E-Trust Ino)Win32/Nabucur.A
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebError Scanning File
AVEmsisoftTrojan.Obfus.3.Gen
AVEset (nod32)Win32/Virlock.G virus
AVFortinetW32/Agent.NCA
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Obfus.3.Gen
AVGrisoft (avg)Win32/Cryptor
AVIkarusVirus-Ransom.FileLocker
AVK7Virus ( 0040f99a1 )
AVKasperskyPacked.Win32.Katusha.o
AVMalwareBytesTrojan.VirLock
AVMcafeeTrojan-FFGO!0868DFB8A6BC
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.gen!A
AVMicroWorld (escan)Trojan.Obfus.3.Gen
AVRisingno_virus
AVSophosW32/VirRnsm-A
AVSymantecW32.Ransomlock.AO!inf
AVTrend Microno_virus
AVVirusBlokAda (vba32)Error Scanning File

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cKEsMggg.bat
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xmwAwQAc.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\xmwAwQAc.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates ProcessC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates ProcessC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\cKEsMggg.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\pagYYUIQ.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\pagYYUIQ.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MIgIEoYk.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\SYcEYEMM.bat
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\SYcEYEMM.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\MIgIEoYk.bat" "C:\malware.exe""
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\GEYMEMkw.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zkMEcUYM.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zcgAwQgM.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\zkMEcUYM.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\zcgAwQgM.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\dkkQsgQA.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\OiIwoMIM.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UEMYIYoY.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\OiIwoMIM.bat
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\UEMYIYoY.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\XCoYEgck.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fOMAssUc.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\fOMAssUc.bat
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\XCoYEgck.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\KwUMoEkM.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dkkQsgQA.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\KwUMoEkM.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\dkkQsgQA.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\TUYQoskU.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\PmQUscIU.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\TUYQoskU.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aSooEMUo.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\aSooEMUo.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\TUYQoskU.bat" "C:\malware.exe""
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\euEsggAs.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\EgskEgMM.bat
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\euEsggAs.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\EgskEgMM.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\ceckUssI.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xKsssIwg.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\jEkQogso.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\jEkQogso.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\xKsssIwg.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\tuUIcMsg.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\pagYYUIQ.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\jcUgcUQQ.bat
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\jcUgcUQQ.bat
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\pagYYUIQ.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\EkwgAIUI.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\YcgUIwok.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\YcgUIwok.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\EkwgAIUI.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\EgskEgMM.bat" "C:\malware.exe""

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\xKsssIwg.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\cKEsMggg.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\cKEsMggg.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ceckUssI.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\JIUUAsIE.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\JIUUAsIE.bat
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\ceckUssI.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\JqcUoQAA.bat
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MmcIcQgY.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\sOgAskIE.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\MmcIcQgY.bat
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\sOgAskIE.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\CqwUosYs.bat" "C:\malware.exe""

Creates Process

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\UEMYIYoY.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\BkcQQosk.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PwQQgkIo.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\PwQQgkIo.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\BkcQQosk.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates ProcessC:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\zcgAwQgM.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\CqwUosYs.bat
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\EyYIUoow.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\EyYIUoow.bat
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\CqwUosYs.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HOYMksUI.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DogcYQQU.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\HOYMksUI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\DogcYQQU.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Creates Process

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PmQUscIU.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\oIokcskE.bat
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\oIokcskE.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\PmQUscIU.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\823b469eff1e7f02fa5d9f213598fa83266a8e78
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RswcsQgs.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tuUIcMsg.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\RswcsQgs.bat
Creates Process"C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\tuUIcMsg.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileqsIa.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileiIsO.ico
Creates FilekwcQ.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileasQW.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileUQYI.exe
Creates FileOwsG.ico
Creates FileGAIQ.exe
Creates FileKMoc.exe
Creates FileUwYC.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileCoso.ico
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\RCX5.tmp
Creates FileC:\RCX3.tmp
Creates FileGkgY.ico
Creates FileC:\RCX10.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.inf
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileC:\RCXF.tmp
Creates FileC:\RCX12.tmp
Creates Fileegcg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileuwEY.exe
Creates FileigoG.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FilemUos.ico
Creates FileOwsA.ico
Creates FileyQMS.ico
Creates FilemYsA.ico
Creates FileGwUI.exe
Creates FileeQYs.exe
Creates FileC:\RCXD.tmp
Creates FileegYM.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\RCX18.tmp
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX6.tmp
Creates FileyYEy.exe
Creates FileC:\RCXE.tmp
Creates FileC:\RCXA.tmp
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileKgoQ.exe
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileecQI.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileC:\RCX19.tmp
Creates FileaQMy.exe
Creates Filemkko.ico
Creates FileOAck.ico
Creates FileKQYS.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileSAsu.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\RCX1C.tmp
Creates FilewEEi.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileKwky.exe
Creates FileC:\RCX9.tmp
Creates FileOAcY.ico
Creates FileC:\RCX1A.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FilePIPE\wkssvc
Creates FileMgAS.exe
Creates FileWcoK.ico
Creates FileasUW.ico
Creates FileagoK.ico
Creates FileaUgS.exe
Creates FileqAIO.ico
Creates FileGoAo.ico
Creates FileC:\RCX8.tmp
Creates FileSIww.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileEosY.ico
Creates FileKoQG.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileOAEg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileqoIW.ico
Creates FileKIgI.exe
Creates FileysAi.ico
Creates FileCYwy.ico
Creates FilePIPE\DAV RPC SERVICE
Creates FileCIkW.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileqokG.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileqIoC.ico
Creates FileC:\RCX16.tmp
Creates FileC:\RCX1B.tmp
Creates FileSoom.exe
Creates FileC:\RCX7.tmp
Creates FileSYUy.ico
Creates FileC:\RCX17.tmp
Creates FileesgI.exe
Creates FileC:\RCX4.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileiQUg.ico
Creates FileQkUq.exe
Creates FileKIsW.ico
Deletes FileqsIa.exe
Deletes FileiIsO.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FilekwcQ.exe
Deletes FileasQW.ico
Deletes FileUQYI.exe
Deletes FileOwsG.ico
Deletes FileGAIQ.exe
Deletes FileKMoc.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileUwYC.ico
Deletes FileCoso.ico
Deletes FileGkgY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes Fileegcg.exe
Deletes FileuwEY.exe
Deletes FileigoG.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FilemUos.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileyQMS.ico
Deletes FileOwsA.ico
Deletes FilemYsA.ico
Deletes FileGwUI.exe
Deletes FileeQYs.exe
Deletes FileegYM.exe
Deletes FileyYEy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileKgoQ.exe
Deletes FileecQI.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileaQMy.exe
Deletes Filemkko.ico
Deletes FileOAck.ico
Deletes FileKQYS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileSAsu.exe
Deletes FilewEEi.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileKwky.exe
Deletes FileOAcY.ico
Deletes FileMgAS.exe
Deletes FileWcoK.ico
Deletes FileasUW.ico
Deletes FileagoK.ico
Deletes FileaUgS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileqAIO.ico
Deletes FileGoAo.ico
Deletes FileSIww.exe
Deletes FileEosY.ico
Deletes FileKoQG.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileOAEg.exe
Deletes FileqoIW.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileKIgI.exe
Deletes FileysAi.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileCIkW.exe
Deletes FileCYwy.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileqokG.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileqIoC.ico
Deletes FileSYUy.ico
Deletes FileSoom.exe
Deletes FileesgI.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileiQUg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileQkUq.exe
Deletes FileKIsW.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.inf
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\MIgIEoYk.bat" "C:\malware.exe""

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\XCoYEgck.bat" "C:\malware.exe""

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\EkwgAIUI.bat" "C:\malware.exe""

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\sOgAskIE.bat" "C:\malware.exe""

Process
↳ Pid 1576

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ C:\823b469eff1e7f02fa5d9f213598fa83266a8e78

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\BkcQQosk.bat" "C:\malware.exe""

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\DogcYQQU.bat" "C:\malware.exe""

Process
↳ "C:\823b469eff1e7f02fa5d9f213598fa83266a8e78"

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network Details:

DNSgoogle.com
Type: A
173.194.125.32
DNSgoogle.com
Type: A
173.194.125.46
DNSgoogle.com
Type: A
173.194.125.41
DNSgoogle.com
Type: A
173.194.125.40
DNSgoogle.com
Type: A
173.194.125.39
DNSgoogle.com
Type: A
173.194.125.38
DNSgoogle.com
Type: A
173.194.125.37
DNSgoogle.com
Type: A
173.194.125.36
DNSgoogle.com
Type: A
173.194.125.35
DNSgoogle.com
Type: A
173.194.125.34
DNSgoogle.com
Type: A
173.194.125.33
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1032 ➝ 173.194.125.32:80
Flows TCP192.168.1.1:1033 ➝ 173.194.125.32:80
Flows TCP192.168.1.1:1034 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1035 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1036 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1037 ➝ 190.186.45.170:9999
Flows TCP192.168.1.1:1038 ➝ 190.186.45.170:9999

Raw Pcap
0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .


Strings
.
.............. ............. .......... ....#...........?..H
Kl
02	?<j]
?.;0-#!53|71
;_{0!r
0/.rPP
`0Sw4=
1_L_#" <&
1|%v?|%
24n$2b62
2>%IFm
2>%UJm
>3gSQ.f
3OE4,R
3_PI$V
3@rK'ta
3?U72?
41_>^*
4:*.56>>5F*
4Bh<Ag
4F*.4B
4J(,@g
"51Ril
"5{\aP
&)5Jmd
'$<5JN
"5=VehV
62KVq.!
6\7|%C
&|6eqU
>6!IRe
6~%s7|
:6!=~uh
6|%v6|
'6|%w6|
>6!YVe$
7|%37|
7`8sF\
7|nr7|
7|%Q6|
7~%s7~%s7~%s7~%s7~%s7~%s7~%s7~%s
7v%d7x
7|%x7|
8xe"	xy9
9[c6]4
A$*5c)
aMEL9@
aP?H$^G
aR0_la
%ATx$T$
.-aVe,
	*)aVe 
;A*yN(8G
]#>%b>
b|2H:a
b4E d4j
^|'b4J
b7K%E7|
\B$BU"<
bF7&$7
B FLX-
BG/S`7
}B Jx!1[
b]Q>2D
b]Q>6F
BSlaGS
`bYVL:i
C;1bjm
=c3J%6M
C^~#5^l
C7|%@7|
caL=v>
-c;bk^6
C>fCA,
C>f+K,
C>fkO,
C>fsI,
C$J1o&
CoBMGb
*cWy|w
	,D7%(
D7a%E7H%S
D7a%E7J
D7a%E7J%S7X
D7a%E7k
D7a%E7k%R
D7a%E7k%R7K%R
D7a%E7k%S
dAUQdA]Y
d>D:<.Y~$
d/J{RPO
dK6,C@
D_:$>R
dxsT`u%
d	Ymf9
E7F%B7k%K7K%F
e7s%D7t
	*)e^a 
e?h7s%h7~
{,eN[C2]7
EP`?D9%
E-p{*-g
ES@&GP
E,;_zQ$
F1T \$
F6|%F6|%+6|
|%f6I%
F,'6R<
F<d~S1
F%J7k%@
F%J7k%@7K%F
F(KuQH
FsT|u%ls
FS.yE'n
F@~Wir
.,G:;)
GB4VuS
g_b}^RG
gQ r)i,
=GrgN*d
G,TL_/
H`/>^*
H7K%B7E%A7D%B
H7K%E7|
H7K%P7E
H7|%N7|
H.aZPjY
HbaZyj
HbX6uki
HELJ]Zo%
H#:K%s
HvaZyj
Hv`ZpjY
H:Y2enM
HzX6,ji
HZYvt[]
Hz`ZpjY
_I5-v6Vl
Ibgegc
&ieRM")&Q
'j03(O
[j&;7}B%
J7F%K7O%E
JA$.ur7
jcMihO
J%D7E%B
J%H7K%@7|
J:|%i7|
\jid.uy{"
\jid@!x
JQ$R$h8
<jS7a<
jyF8Un
,jY:u+Y
K0OEl&O@
K7J%B7r
K7J%B7z
K%^7K%H7\%A
K%A7N%E
 ;%}kC
K%C7|%D
-KI0-M
*KILB}
K%S7D%D7M%U7|
K%T7E%E7\%@
"|]kzQ
l0YSx}
L%D7J%F
ldSR8b
LG2{Qq 
L_#JU@%
;_lk J
l$O)6I}%
M,D	L0_
ME|FM'
ME<Q\L
M%F7k%@
mMM\:H
}m%q6mz
mvIxj_
N6U2_6
_n}+C>
`ndcpssOcfe
NdeW}v
\nEcaZ
nKt4h6v
%NMtRG
nN&Upn1O'
NP Fm^*
n *Y6twQ
NYJ~*	g
$nYr$vM
<o3t<J
O3~,Zl
o7G%@7K%F7Z
$OE4D^
ofN^>"_a=/
^*OIXCR
oQY"fXV
oW:<MY
P6Y6PnU
p7|%r7|
^P8gpZ
Pf$y$g
PrY6Pn
pS|deo
PVX~`v]
p=vY(*
PvY6PnU
p&X2A'M
p*Y2`ry
P"Y6Pn
P:Y6PnU
P*Y6PnU
p.Y~LZm
!_P"zV_
q+_!&!
.q3r5F
*q* 6g
'q7|%q7|
qn*To2<
Qq37Ns3{*q
Qq37Ns$r
qR|%B=H
qw\Sf&6o
\~r%_:
r7|%'7|
r7E%E7^
r7F%B7|%B7|
r7|%r7
r7|#s7u
r7|%u7|
r7|%X7|%*7|
R|%B7|
,RhwLS
r:|%i7|
Rich!4O
=RL]R`0
rOt%v7|
R(RwF4R
's7|%s7|
%s7|%s7|
s7|&s7
}%s7|%s7x
s7|%sS
|S$bAt.
*)sDmL
S$ft?7O6
SnCtJu
S@^`R;
~T`g|f
T'(GFP
!This program cannot be run in DOS mode.
Tpg|CO
?-TQZLe
Tr7|!r7|
U7X%v7D%N7E%@
u&kFKr
u=Pl;|
UQd7sMr
`v	?`^
v5|%v7|
v5|%v7Y
v7=`b>
'vD=>O);
:VE8zi
<v`nl:a
VP .Yo%
$vY~$ZY
Vz _Ai
w7|&w7|
w8B5R.o
wh[<^v
#wzD|S
X2PvY~
X6PZY6PnU
,/{X7h
x&cDl0
x;+cx;
 ~X:pr	
xrA*yF
xT|j=;
y58Iy185y18-ya8
Y:D+Y*L>
yI8	xy9
.Y*L2y
*`YN=v
Y*pnYr@
`*Yrxv
 ^Y~t3M
z :~6*
ZC+\HQY
ZF7U%+9|
+(z;KI
,ZY:)*