Analysis Date2015-01-14 13:54:26
MD5d833f6c6d79ef51775a0dfb8a694d144
SHA183a18b5648822e6446280f4ff57f5fecdff65a2c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhashd05e9ffef296a45af22a3986d09a0da14bd6c05d
IMPhash
AV360 Safeno_virus
AVAd-AwareTrojan.Obfus.3.Gen
AVAlwil (avast)VirLock-A:Win32:VirLock-A
AVArcabit (arcavir)Trojan.Obfus.3.Gen
AVAuthentiumW32/S-7136ec3b!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardTrojan.Obfus.3.Gen
AVCA (E-Trust Ino)Win32/Nabucur.A
AVCAT (quickheal)Ransom.VirLock.A2
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Obfus.3.Gen
AVEset (nod32)Win32/Virlock.G virus
AVFortinetW32/Agent.NCA
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Obfus.3.Gen
AVGrisoft (avg)Win32/Cryptor
AVIkarusVirus-Ransom.FileLocker
AVK7Virus ( 0040f99f1 )
AVKasperskyVirus.Win32.PolyRansom.a
AVMalwareBytesTrojan.VirLock
AVMcafeeTrojan-FFGO!D833F6C6D79E
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.gen!A
AVMicroWorld (escan)Trojan.Obfus.3.Gen
AVRisingno_virus
AVSophosW32/VirRnsm-A
AVSymantecW32.Ransomlock.AO!inf
AVTrend MicroPE_FINALDO.F
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\XQUkkEko.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UAYMEIQc.bat
Creates FileC:\83a18b5648822e6446280f4ff57f5fecdff65a2c
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\UAYMEIQc.bat
Creates ProcessC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\XQUkkEko.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates ProcessC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"

Creates ProcessC:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qQcAwwws.bat
Creates FileC:\83a18b5648822e6446280f4ff57f5fecdff65a2c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\woUIIAwk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\woUIIAwk.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\qQcAwwws.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\AScYIsgA.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\AScYIsgA.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\tgUYMsEs.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\yCUUEEog.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\TqsMMcgY.bat
Creates FileC:\83a18b5648822e6446280f4ff57f5fecdff65a2c
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\yCUUEEog.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\TqsMMcgY.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\qQcAwwws.bat" "C:\malware.exe""

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\qyEMMQcQ.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\qyEMMQcQ.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"

Creates ProcessC:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\bEcYAoYQ.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Jugggocg.bat
Creates FileC:\83a18b5648822e6446280f4ff57f5fecdff65a2c
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\bEcYAoYQ.bat
Creates Process"C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\Jugggocg.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"

Creates ProcessC:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Process
↳ "C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"

Creates ProcessC:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\TqsMMcgY.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"

Creates ProcessC:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates ProcessC:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hcUkUssc.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tgUYMsEs.bat
Creates FileC:\83a18b5648822e6446280f4ff57f5fecdff65a2c
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\hcUkUssc.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\tgUYMsEs.bat" "C:\malware.exe""
Creates Process"C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"

Creates ProcessC:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\Jugggocg.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Jugggocg.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cQcQMggo.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WMsYQEIw.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\83a18b5648822e6446280f4ff57f5fecdff65a2c
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\WMsYQEIw.bat
Creates Process"C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\cQcQMggo.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\VuEUoUcM.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fAoQAIoY.bat
Creates FileC:\83a18b5648822e6446280f4ff57f5fecdff65a2c
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\VuEUoUcM.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\fAoQAIoY.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\yCkgoIUI.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\sMcAwYwE.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\83a18b5648822e6446280f4ff57f5fecdff65a2c
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\sMcAwYwE.bat
Creates Process"C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\yCkgoIUI.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"

Creates ProcessC:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\AScYIsgA.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\83a18b5648822e6446280f4ff57f5fecdff65a2c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\uEgIMQIs.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\uEgIMQIs.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\AScYIsgA.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"

Creates ProcessC:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\83a18b5648822e6446280f4ff57f5fecdff65a2c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qyEMMQcQ.bat
Creates FileC:\83a18b5648822e6446280f4ff57f5fecdff65a2c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\jiYsMEwI.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\jiYsMEwI.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\qyEMMQcQ.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\cQcQMggo.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\yCkgoIUI.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\yCkgoIUI.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\XQUkkEko.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\XQUkkEko.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileBEAI.ico
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileTscQ.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileXIAa.exe
Creates Filenoge.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
Creates FileC:\RCX5.tmp
Creates FilezQUY.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.inf
Creates FileC:\RCXF.tmp
Creates FileC:\RCX12.tmp
Creates FileZkoM.exe
Creates FilefgAe.ico
Creates FilelUIA.ico
Creates FilejgMw.ico
Creates FilejYos.exe
Creates FileC:\RCX18.tmp
Creates FileC:\RCXE.tmp
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FiletQUw.ico
Creates FilexUwO.ico
Creates FilefkkU.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FilePkYu.exe
Creates FileC:\RCX9.tmp
Creates FileDcQg.ico
Creates FilePIPE\wkssvc
Creates FileDswY.exe
Creates FileGIMS.exe
Creates FileOscK.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FilerMEG.ico
Creates FilezQsm.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileDccW.ico
Creates FileC:\RCX1D.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileLUMs.exe
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates Filebogo.ico
Creates FilePkQw.ico
Creates FileC:\RCX17.tmp
Creates FilebwAm.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FilepcoQ.exe
Creates FilezUEy.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FilejMgg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileTkES.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FilezgQA.ico
Creates FilebgEw.exe
Creates FileC:\RCX3.tmp
Creates FilezEUm.exe
Creates FileC:\RCX20.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileBEce.exe
Creates FileXsAg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates Filefogc.exe
Creates FilefYsw.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileLEEg.exe
Creates FileC:\RCXD.tmp
Creates FilenkwS.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FilevcIc.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1.tmp
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FilePoIa.ico
Creates FilefcIE.ico
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates FileBYAq.ico
Creates FileDkEW.exe
Creates Filezsca.ico
Creates FileC:\RCX13.tmp
Creates FileTwUS.exe
Creates FileC:\RCX11.tmp
Creates FileC:\RCX21.tmp
Creates FilevwQQ.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\RCX19.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FilebQku.ico
Creates FilejAwY.ico
Creates FilezAci.ico
Creates FileC:\RCX1C.tmp
Creates FileC:\RCX1A.tmp
Creates FileHQYm.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FilebswM.exe
Creates FilebYQA.ico
Creates FilenEYU.exe
Creates FileXccY.exe
Creates FilehEQk.exe
Creates FileC:\RCX8.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileDgEM.exe
Creates FilepIcE.exe
Creates FilefUwU.exe
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FilezEkm.exe
Creates FilevMMs.exe
Creates FilefwIa.ico
Creates FileC:\RCX16.tmp
Creates FilezIoO.exe
Creates FileroII.exe
Creates FileXggI.ico
Creates FileC:\RCX4.tmp
Creates FilezgMU.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FilerQkc.ico
Deletes FileTkES.ico
Deletes FileBEAI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileTscQ.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileXIAa.exe
Deletes FilezgQA.ico
Deletes Filenoge.ico
Deletes FilebgEw.exe
Deletes FilezQUY.ico
Deletes FilezEUm.exe
Deletes FileBEce.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileXsAg.ico
Deletes Filefogc.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FilefYsw.ico
Deletes FileZkoM.exe
Deletes FilefgAe.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileLEEg.exe
Deletes FilenkwS.ico
Deletes FilelUIA.ico
Deletes FilevcIc.ico
Deletes FilejgMw.ico
Deletes FilejYos.exe
Deletes FilePoIa.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FilefcIE.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileBYAq.ico
Deletes FileDkEW.exe
Deletes Filezsca.ico
Deletes FileTwUS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FilevwQQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FiletQUw.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FilebQku.ico
Deletes FilezAci.ico
Deletes FilejAwY.ico
Deletes FilexUwO.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FilefkkU.ico
Deletes FilePkYu.exe
Deletes FileHQYm.exe
Deletes FileDcQg.ico
Deletes FilebswM.exe
Deletes FilenEYU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FilebYQA.ico
Deletes FileDswY.exe
Deletes FileGIMS.exe
Deletes FileOscK.exe
Deletes FilehEQk.exe
Deletes FileXccY.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileDgEM.exe
Deletes FilerMEG.ico
Deletes FilezQsm.exe
Deletes FilepIcE.exe
Deletes FileDccW.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FilefUwU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FilezEkm.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FilevMMs.exe
Deletes FileLUMs.exe
Deletes FilefwIa.ico
Deletes Filebogo.ico
Deletes FilePkQw.ico
Deletes FileroII.exe
Deletes FilezIoO.exe
Deletes FileXggI.ico
Deletes FilebwAm.ico
Deletes FilezgMU.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Deletes FilepcoQ.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FilerQkc.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FilezUEy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FilejMgg.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.inf
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ "C:\83a18b5648822e6446280f4ff57f5fecdff65a2c"

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\fAoQAIoY.bat" "C:\malware.exe""

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Network Details:

DNSgoogle.com
Type: A
173.194.125.78
DNSgoogle.com
Type: A
173.194.125.73
DNSgoogle.com
Type: A
173.194.125.72
DNSgoogle.com
Type: A
173.194.125.71
DNSgoogle.com
Type: A
173.194.125.70
DNSgoogle.com
Type: A
173.194.125.69
DNSgoogle.com
Type: A
173.194.125.68
DNSgoogle.com
Type: A
173.194.125.67
DNSgoogle.com
Type: A
173.194.125.66
DNSgoogle.com
Type: A
173.194.125.65
DNSgoogle.com
Type: A
173.194.125.64
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1032 ➝ 173.194.125.78:80
Flows TCP192.168.1.1:1033 ➝ 173.194.125.78:80
Flows TCP192.168.1.1:1034 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1035 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1036 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1037 ➝ 190.186.45.170:9999
Flows TCP192.168.1.1:1038 ➝ 190.186.45.170:9999

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .


Strings
.r.
.:..
.

":-}}^
0<8x1z
0xGWAhg\
1-o=#U
%/2#@/
;2E|3_
 .+2;M
	2|S::
332/o3
3\,}:~c
\3eLI7^
3JQTCL
+3J^uP
45u8"U
/4h`"%
4\,=k4
64h@JgL2
6ql>MZQt
6V%+.Dz<mA
6zz^RBJ
7@1YOL
7X65S[1j
.8bX/a
8]fsJ"Gq
	8hO$[
8,lbzn
8Oq"f'%
a%6Eu8
a$7CmI%
A8&HK8
AG<UJq
ahMP.m
AH(yfw
*AmNWD
A>M\oC
?	a=RM
=|,}b^
B2Cb8Z
B2CC!z
B2C#/Z
B2C#>zR
$b_5$"V
B8C#R:
bC<n"kq}
}b~)Thp-y
-bX#sM
b-zP~)-
CB:hIC8
CC4ZsF"}^
ccz|tn
Ch T"d
}c:stn
Ct7[op8Y
c]U:2<
d`4&+E
D"6(+E
D6L\S5D|
D:8-c"
]D:gS&
dJ^^0_K
dkL|.^%
D,L\SUD|
-:d=Rh
e$7Cm	
E@F|l(
EF>Ml0
E?KxR4
EPKUr{
et*F|\
eZ(%}N
F3G$$3G
|f"c}f(
Fq#VAy(
FyYvTwm
G}3''K
GInHEd
g	J)n%&
[g}L\~
[g}L\~%[|
>Ha9RM
?Ha9RM
HK8dAk
#h PBi`
=/H(QC
h!Uc	j
HX"kKx$
i*?2.[SX
I8"i p
I<aLi.zVm/
Id9R/!
-iM;c^[
+ i'N'i$
IXiL"z
J2:!q/{~
j6QMNZ
JFB4?\
	JQ#+*rjH
)_J]uB
=+=k"'
K f&/b
K {&Oh(
K |&OM
ktX.L<t$
[_. l<-
>[-L\?
lBx$anT
l^CZft
LfZJGnZG
~_M18o
-Mfgrd/
M|]Hy;
^MJWVM
;MK}X9
(Mn];G
~mOq"f.%n
]M|=rJ
%'>MS0
M?)sdyD
mt9Pr<
mxXl^JZz
n73m}83
N9ripo9
):oB@@
~]oqp|
oTtB\2
oxtX8r
"P7n">
P>b-B[
Ped`Tx
p\E\>M
pIQiV\
pj(JXBl`
PkL|.m.
*p#,Kx
P~.%NQ
POq"f'%
'pt_$k7
q_5>Qu:
qD|cZstn
qDQKCL
qEL|co|t
QhWtW=r
-Q%+.|r<mAf
_qt$5xY
R`}&8?
r9upo&
RcD(t%)e
Rc@(pA
R>G-#>'
rg~l';
rhtdPE
Rich!4O
r&iK2 
[SdL|n
[SkL|.
sK T5K
sMA]*G
"S^Ow5
Sq"&	,
)^[T4Q
#(%TBA
!This program cannot be run in DOS mode.
TtnkD|.
twfX n
%u2}MU
u	a}9W
[UdL|n
[UkL|.
[UkL|.o&
\+,u(s
%#,ut4u
uVZIu_wA:^zT
>V%+,4Y
(!vk-p`
vLp=:Q
VM5cF#
|v<mAe^&
VM*bYT
VnhCDc
#vP)SG
.*V%+~V%+
Vxv`+Ev
w~9H`bIN
wkZP#f
WMc ug0	d6
wNQ%OL
>X-L\?cQ
xV03HF
y	CxFg[t
>Y!L<#
Z33=z>
>Z4L\S
>Z5L\S
zEc~jm
zF.Cwf&
/\Z?g&
Zg}L\^
Zg}L\^El|
Zg}L\^ev|
z%H"fX
zJ[Uz<<
*ZL@l4F6U
>Z+L\s5D|
Z<mAT.
!Zs=)N
=|,]zT
zYg>x^