Analysis Date2015-05-25 20:08:56
MD57352bf3ee93a59f74f91c4d410b5e7ae
SHA19011217260b49c51055e31bca3102777ee0c60b2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2c33f88814fa1403aaa99db5f390c709 sha1: f04262aea160d94449275104e8c3ba757e15ada6 size: 498176
Section.rdata md5: addfe7ff5eb92d6e973920bd483d6151 sha1: aa077003ae34da36d510828fcba16b9c60e82319 size: 512
Section.data md5: 7ebfe0c5d6b7dbabb1977feef4ef9132 sha1: 8abd5406928bf35ee510a5b515b26c52e0e9e5c4 size: 512
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp2015-01-06 00:36:08
PEhash2a787b59d8f370e9191aa5c61aa2e6b8ed1d88f2
IMPhash2807c0ca5ad720701d18209f17b23a35

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe,
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dUkIswAE.bat
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\9011217260b49c51055e31bca3102777ee0c60b2
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\OigEYwAc.bat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\dUkIswAE.bat
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Process"C:\9011217260b49c51055e31bca3102777ee0c60b2"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\OigEYwAc.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\9011217260b49c51055e31bca3102777ee0c60b2"

Creates ProcessC:\9011217260b49c51055e31bca3102777ee0c60b2

Process
↳ C:\9011217260b49c51055e31bca3102777ee0c60b2

Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\gKcUIMEo.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\BEAgUYQs.bat
Creates FilePIPE\lsarpc
Creates FileC:\9011217260b49c51055e31bca3102777ee0c60b2
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\BEAgUYQs.bat
Creates Process"C:\9011217260b49c51055e31bca3102777ee0c60b2"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\gKcUIMEo.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\9011217260b49c51055e31bca3102777ee0c60b2"

Creates ProcessC:\9011217260b49c51055e31bca3102777ee0c60b2

Process
↳ C:\9011217260b49c51055e31bca3102777ee0c60b2

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NqckwEks.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\KUsAMMsM.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\9011217260b49c51055e31bca3102777ee0c60b2
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\NqckwEks.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\KUsAMMsM.bat" "C:\malware.exe""
Creates Process"C:\9011217260b49c51055e31bca3102777ee0c60b2"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileNqMM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FilepAAA.ico
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileVgkA.exe
Creates FilelEYe.exe
Creates FileC:\RCX2.tmp
Creates FileFGsw.ico
Creates FileFqwc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileZEcQ.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
Creates FileC:\RCX5.tmp
Creates FileVGEQ.ico
Creates FilelMUw.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FiletkkK.exe
Creates FileC:\RCXF.tmp
Creates FileNEkG.exe
Creates FiledIgW.exe
Creates Filedqss.ico
Creates FileC:\RCX12.tmp
Creates FiletqsM.ico
Creates FileJkQo.ico
Creates FilelCUQ.ico
Creates FileZAMU.exe
Creates FilePwsa.exe
Creates FileVYIm.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FilexQIA.exe
Creates FilePIPE\lsarpc
Creates FileFkso.exe
Creates FileC:\RCXE.tmp
Creates FilepksA.exe
Creates FileFaMY.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FilehgcM.ico
Creates FileFcwG.exe
Creates FilepcMQ.exe
Creates FileliYQ.ico
Creates FiletmIg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FilehIwc.ico
Creates Filedmco.ico
Creates FileNWEs.ico
Creates FilePIPE\wkssvc
Creates FileBgMU.ico
Creates FiletIYW.exe
Creates FiletIkK.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
Creates FilehMAo.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileC:\RCX1D.tmp
Creates FileXkcK.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FiletswQ.ico
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FilepUAU.exe
Creates FiledskA.ico
Creates FileFQcW.exe
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FilehAkI.exe
Creates FilepSkA.ico
Creates FilepkQU.ico
Creates FileC:\RCX17.tmp
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFF920.tmp
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileBQIo.exe
Creates FileFCcI.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FilepIAk.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FilezKIU.ico
Creates FilexYMm.exe
Creates FilehooY.ico
Creates FilexssQ.exe
Creates FileC:\RCX3.tmp
Creates FileC:\RCX20.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileVuwE.ico
Creates FilebEsY.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FiledyEQ.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1.tmp
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates Filepcsg.exe
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\RCX21.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileNMcW.exe
Creates FileC:\RCX19.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\RCX1C.tmp
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileVmsc.ico
Creates FileC:\RCX1A.tmp
Creates FiledOQo.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileC:\RCX8.tmp
Creates FilehoIc.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileNysU.ico
Creates FileZwEY.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileJgse.exe
Creates FilelMYO.exe
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FilehcEU.exe
Creates FileeOQM.ico
Creates FileC:\RCX16.tmp
Creates FileC:\RCX4.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileRQUG.exe
Creates FiletwUu.exe
Deletes FileNqMM.ico
Deletes FileFCcI.ico
Deletes FileBQIo.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FilepAAA.ico
Deletes FileVgkA.exe
Deletes FilelEYe.exe
Deletes FilepIAk.exe
Deletes FileFGsw.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Deletes FileFqwc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FilexYMm.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FilezKIU.ico
Deletes FileZEcQ.exe
Deletes FilehooY.ico
Deletes FilexssQ.exe
Deletes FileVGEQ.ico
Deletes FilelMUw.exe
Deletes FiletkkK.exe
Deletes FileVuwE.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FilebEsY.ico
Deletes FileNEkG.exe
Deletes FiledIgW.exe
Deletes Filedqss.ico
Deletes FiletqsM.ico
Deletes FileJkQo.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FiledyEQ.ico
Deletes FilelCUQ.ico
Deletes FileZAMU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FilePwsa.exe
Deletes FileVYIm.exe
Deletes FilexQIA.exe
Deletes FileFkso.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes Filepcsg.exe
Deletes FilepksA.exe
Deletes FileFaMY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FilehgcM.ico
Deletes FileNMcW.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileFcwG.exe
Deletes FilepcMQ.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileliYQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FiletmIg.ico
Deletes FileVmsc.ico
Deletes FilehIwc.ico
Deletes Filedmco.ico
Deletes FileNWEs.ico
Deletes FiledOQo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileBgMU.ico
Deletes FiletIYW.exe
Deletes FilehoIc.exe
Deletes FileZwEY.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FiletIkK.exe
Deletes FileNysU.ico
Deletes FilehMAo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FilelMYO.exe
Deletes FileJgse.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileXkcK.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FiletswQ.ico
Deletes FilehcEU.exe
Deletes FilepUAU.exe
Deletes FiledskA.ico
Deletes FileeOQM.ico
Deletes FileFQcW.exe
Deletes FilehAkI.exe
Deletes FilepSkA.ico
Deletes FilepkQU.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FiletwUu.exe
Deletes FileRQUG.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates Mutexz1@
Creates Mutex\\xc9\\xa01@
Creates Mutex\\xe2\\x80\\x9a1@
Creates Mutex\\xe2\\x80\\x991@
Creates MutexnwYEEQIw0
Creates Mutex\\xc9\\xa11@
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexz1@
Creates Mutex\\xc9\\xa01@
Creates Mutex\\xe2\\x80\\x9a1@
Creates Mutex\\xe2\\x80\\x991@
Creates MutexnwYEEQIw0
Creates Mutex\\xc9\\xa11@
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\OigEYwAc.bat" "C:\malware.exe""

Process
↳ "C:\9011217260b49c51055e31bca3102777ee0c60b2"

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\gKcUIMEo.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\KUsAMMsM.bat" "C:\malware.exe""

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ Pid 1020

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1132

Network Details:

DNSgoogle.com
Type: A
216.58.216.78
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.216.78:80
Flows TCP192.168.1.1:1032 ➝ 216.58.216.78:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....


Strings
..
.vv..
S
.f.
S.njZ.
g
.
.%
#..Fa
t+..
e
.
.Gh.
.*
2.

> =]>#
:$?^? 
&]>^%]
%=\:#<]
00DE"[
+0:9k?
0,ag1Rh
0aH\7@
~0BA:H
0~d6v2+,tZ
]&0DE)
0 HGB`j
	`0^I5*
0K.MY?
\0P^L"
0VSj`@
0wbWT#
1|3U	Y341Fk
<18W<1#
1a;}H	x
1DlIDR
1L*O1#6<Q#V<
1Osq/?J
#1st;e
&1,Sy'
1#V<1#]<1#F
1#V<1#V<
1#V<1#V<!
1#V<1#V<1;V<1#
1#V<A#^<2#F
1#V<a#V<
1#V<A#V<
1#V<A#V<Q
<1#V<QwP<
1#V<Q;X<:
1#V<!#T<_
1#V<!#V<9
1Yv!8r
22M- 6
2-!,'+]a
<-"2A}h
}2D6K$u'
2e*3/,
2G1F	R
$<2K:}
-2L>(Ryk 
2;nH3^diN
^@2q^@Rq
2^@Rq^@Rq
}2tVK$
@2#X4V
}2X^I$T9y
:*319d
3A3E<q
3d3S$G
$*3I9d
}3OZ5<M
"3OZe)
 3Qgr2
3{W^t~J
3{W{t~L
]3yU9#k?j3m-RL-ZRA
3{YWp~	
}3zsB3
40K+p,
[40T4$I
4]1A/Ny
=	41RH!
!4<A4W
4copUO
/4i*_=
!4jh0yE.
4[Ov!Y
(4,%?R
4r;TI)
4u}+XU
51F/F=v
!5;3`;(
,59MMj4
5C-Gt~
\5NM\J
&5qeFQ{
\5	tPgP
5,>W2f5
&;(<&;)6
#^<6#F
%<6&Ia>x>&
6;K-'T~y
6Pbc>H
+`6v@D
6W5]*W
6WuU"W
;6&YViaC
+77qW_
7atqs`sE
7<b'z+i
7C&G4~x
7C-Gd~'
7C'GD~J
7CQ[d~
7CQ]d~
7CQjT~
7CQNt~
_[7CQ_t~
7C_Qt~H
_}7C_qT~I
7eGj	l=B
!+[7g>
,7kj%	
7MF~X?1
7,mg/^i
7pC+vC
~7@r$)
	7sbv1M$v
7V>#"^
]7xJ*<\SHU
805+%?
8ast;ast;
8ast;ast;Ast;
8ast;qst;
8Gkfbjm
8h"F#w
8J+QDX"YF
8/n~'G
8t|kp/
8*zTTv?
$93FwX}
9'a2fg|
9,buD4_g`
9{+G`~
,9(l:<)
9mj':m
9mj'Zm
	9ny9<a
9r{QrM
9t%4j{S
\(9tUi
&;(<.9)v
A2.MHgsx ;
	A2X^J+
A3J^@(,^
A3J^@(#^
A3^sB)
A3T?L)
A3T?L)DSx
A3T?L)H^{
A3t?L)It
	A5X^J+
A87x?!
abaoPb?
AcqsI3
AcqsNG
a~"d45
aFOZZ?E
A#==]g
~AG[~FG
aH9[aK
AIe'u R
a.ItB)
[aKYj6
Am7*,"
A`o}X]
ApLY`Fj6
A"Q^A)
A"Q^A)T
~aQty+
as|;asdwqst;j
|+asdc
ast;ah
;ast;aiw;as
ast;ast;
ast;Ast;
ast;ast;acz;
ast;ast;q
ast;asv;b
ast;qst;
ast;qst;k
ast;!st;`kz
A.T;K)
a(TweN
>a(Tz<
	A<uHl
a(v~H"t~(Gt~(Gt~(Gt~(Gt~(Gt~*Gt~8Gt~(Gt~(Gt~(Gt~(Gt~(G
<a#V<Q
	A/X^J+
#A]Z?!
A"Z^A(
A%z-_g
B'0GSj
b&17 Q)
B6jc> 
B6UQ@C
_b7CVfd~y
B7{mGd~3
B%9XZ\
!bc(u'
BDEaJW
$bd]!Rn
bfNE~a;
B.FQ @
/	bgA(
bGN~GG
B(><]J
bLT\n	:
bp/RUO
B(P^W"
Bpz~JK
bq45x'
BQ)[iAl
b'(qsl
b@/RGO
Bs?nG;O
B(>sRJ7
BT!iz"
BT^pEr
B+UtAd
Bv.\Cy
bW@d=0
BzmX'v
~]bZS\
C#';2Cs
^C3]^J"
CBA;{DV
cbLNkGC
%"c|FBFD-
cf-gA^
c'FHoj
?C!G4~y
?C!G$~y
CHTL"X
cI7bu#
cJ(Y>n7
~(cK;,Gq'
~(cK;(Gq'
~(cK;$Gq+
|(cK;$Gq+
(cK;,Gq'
(cK;(Gq'
(cK;$Gq+
}(cK;,Gq'
}(cK;$Gq+
<cMrD]
=COa8lK
C+P^G"
-C+SAu
C(>sBJv),
ctDEE$
CUSsQo_q
CWw+	X
^C"=Yf"Y
~]cZCY
@d/;{@[
D3a7+b
d5t~HGt~(Gt~(Gt~(Gt~(Gt~(Gt~/Gt~8Gt~(Gt~(Gt~(Gt~(Gt~(G
d5t~HGt~(Gt~(Gt~(Gt~(Gt~(Gt~)Gt~8Gt~(Gt~(Gt~(Gt~(Gt~(G
^D7Fsb&
dABp$c-2
@.data
Dc$`"a
DCe=&`Z
Dd3PEr
DE)GBE
dE)GcE
d??e)k
DfLZr}
DGczqtg
Dgt~H#t~(Gt~(Gt~(Gt~(G4~/G2<!ZW
Dgt~H#t~(Gt~(Gt~(Gt~(Gt~,Gt~8Gt~(Gt~(Gt~(Gt~(Gt~(G
Dgt~H#t~(Gt~(Gt~(Gt~(Gt~'Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(F
Dgt~H#t~(Gt~(Gt~(Gt~(Gt~'Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(G
D	*&j	#
DO,6{E;
d$P *m
dqE%jh=
dV@Er7y
.dV@Er J
}/DVK}CW
dX,MbA
Dza@F-
("e)".("
E3P^L7
E4 hN4
E4&lNXsj3
E4 RA4
E4 RD4$
E4@RD4i
Ea\S?Qw;
E(\F MTO
E`!gC`;
(egS-2o
e^hm--
EiNOHJ
EiNV@JAW
Ei>sBJ
Ei>sBJ7
eLS9fLS
em$eZ#
EP@gBP
_e SGI_
;e;t'Kr
;et	VN
eU22Gy:V3;
eWdc][
}eZYatm
>\.f:>
}>(^F>3sb
F3T^Hg
F3T*@iT0K"T
F4[^H!T^
F4M@Er
&f4yHG
F(8^K"0sb
^&F^A"
-f)F&jY
Fg!sd^
F!HH ?
{FI}Do
F$ItI"
)FjPES)T6
Fk_0rGW
f"NDzn
FNY`Nm7
F)!OHg
|:?F$Q
F&Q^K$
%fR'd-8
fR|Qr.xo
	fR,|yw
fS+?!$
F(>sBJ
fSK<"+
F!}SOS
{_FSz)
FTZ$O#
fV,C|<g
F%X^I"T4~
F(Z'G3T
,]'!Fz>/K^
Fz&U,:.=|z
!g'0;0*
%"G|0J*D-
G1#6P1#V<
$(G2Ml
G2wPK)
G2wPK)}wE&	t/M
G2#X]!
:G3JM7"
G3	t@0P
\g4-\3Y
g4;c$a
g4-l	q;|
	G4P^A5
G4{sB*
G4)tE*
G4	tO*2
G4ytE*
g][5r&
G6#||y5
_g7C_[d~H
%"G|8OeD-
G"9tE*
G*AsB*LF oLO
GB:Hfq
GcHjHe
gDSH"AS	
GetMessagePos
GetSystemDefaultLCID
!g]>F-
GF:Hyq
'|GfiEc
`gFOYg
!gGf;8*
gG^{i6M[i
ggnPc:'
?\GGTz
)\g[	i
=g.:^I.
g.:^I.9^e
g.:^I.)^e
g.:^I.I^e
g.:^I.Isb
g.:^I.Y^a
G;KEGt~`
GN:H]q
G&oAR}
gP	I&t?N>	t_"
!`G~PT
GQmsz!c
G  Q-"xN
G)T6G*4*G06
G?)tE*
Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(G
GT~]GZ~{GZ~tG
G(TI@)ZH
G)	tK*
]gT.M0
GtM0Erz
gU7dvK
GUw Er
<gVuH `
&`gwRe~.
gxBVv9E
:G;XCg
G(X^I)
gX^Y"DO
gX\!zF
=g.Z^A.
%"G|ZC
G.ZPA.
G.ZPK.z
}<'H]!
h16Ux@
H29VOcm=
h4T2Y"
H!6 N8
hCRN/x|r$
H Em#.
HfRmh&P
Hg}DX>t~
Hg@eFyZ
hG$~SF
h&+js&+js
|%HL"H
hn-G)s
hq;X'i
hr	U{wF
h(t~(Gt~(Gt~(Gt~(Gt~*Gt~8Gt~(Gt~(Gt~(Gt~(Gt~(G
HuBOI2+w
]hUKa7
H)V^	(T?L)Zsr
_hX@St
hyAThyAThcGThy
Hy%i"_
i"0WE5
I/1^E.6
I3tVO+
I+4,L)
i5DNA>4N
i\5>]DNB
;i[5UgD`
I+&*%A
i.A^^2
i~A59,
I/AsB.
iBI9u B
IC@Ql6
IdOuKk')
ID^	q|L
I'&eI'&wQ ^~
`Iema"
~IG8~HG=~
iG$~cF
I{][gD
~IG:~LG
~IGZ~DG
ihoo	13
I*ItIh,F
I<	KMqk
Il8TQR
i@}m9xj
I(@NB2^S
i_Np~q1
I)^	OJ
Ioq+Mc
^I)!Pd1
i"p}`e	^k6?$
Ip'i	Qag
IQbdJqt
IQhfJSx
I[r.a~
i^@Rq^@Rq
I)T0KktI
i+T7A+
i&T?N2
i--Xr5
#$iZcx
I&ZPK.z
J3PPK(z
J4&,*,
J$5RX.
J6/B>+F
J} c4g
J~Cdue
J`Ft2E
J"HsR&
'jIQgd
)^j;O$
>j QId4
j~ry`4r
	~^jt$
+JT;lE*
JuhGcBD
J$U^P.
jWFEXR
J"xP[&9tE&
J(X^Y#T6y
|&JYD-(Gq
='Jz3C.
='JZ4I.T.L5T2\>
#j#za:z
='JZ,F.z
:( ;k.
:(\;k.
;K]2T~y
K3T'Wi
K498fa
;K]5T~y
+k`6G	
~,'/K9=
</;kbG
,/;kbG
 K	]Bl
kb^odt
K;<cq'
K;$cq+
KD		+L
Kd'#na
KdOeKi/
_k~E^7lW
;KEGT~
kernel32.dll
?K!G4~y
,kg_#5FA
?k-GD~y
?K!Gt~{
;K-GT~{
?k-GT~y
;K-GT~y
?K!GT~y
~KG|~XG$~'G
KG:yQ-
|/;KhG$~
,/;KhG$~
/;KhG$~
(/;KhG$~
\/;KhG$~
ki)(m:
kky"acLP6
Km!o@D
k"'OX.@3
KoYCYi
K$P^Z"
Kr&|yo
;K] T~y
kvK	DvW&x|I
kxm<FEP
>|K	:|y
}kZtn~
L5tVZ(
LC|JVQ
\LC|Lry
le]`$h
lF~IK:
Lg4-\3y
~LGQ~\G
L.I^Lg
Lj.@^e.
L/;KhG$~
lMuAlEu
lMuAlEuH|
lMuAlMu,
lMuQlEu
/l^N	o
+-Lo=9
^L@oVq
"L	&PJm
LQ8Fw1
%#L"=;R/ 
l(:RX(
LS9bLS
LS	~LS
LS	n,S
LS	pLS
L%	t[&
L)	tEnV
l&	tO&
L%tVY&
:LxcI	[}
^LxJYL
Ly8ZwPw
L*Z^P(
:~m+\^
M2B7KgWNhg
M2ItI3
"M38<C
_m3{Qat~
M[4AGr
m4E9Px
M4RMKg
M4t<K5.-iJ ?h	Q=
m5	tO)
)_|m[6L&
M(8^J5GPeiE^ MCI
.m8^Z"R
|M%DwVv?
ME0 S*
MessageBoxExW
mgOZ8<h
mgPE[B
M)^HMJ
M(ItK4
m(ItK"TN
m&ItP4EG
M)	^Jg
MJ.!}g
MnLTx+
M"\PA$T
.!MP^K3
M(P^L$T
'MQDH)YH
 #MQhj
mtePE'
M)>TIJ
M(t<K5
M)tVL 
mVIeCI
M&vJGgIt
mVPei~
mW6R{S
mWCUs)
MwU27"9\
-^MwuDL
.MX^Y"H^
:mza:m
:mza*m
M(Z'G#T
n&\^@&
N0n[Z.
#|:>,N?2
\''NASh
nA~vxg1L
N!*bwo
N^C"@^
*n,~g%]
,Ng=,4
n{g;fY
N!)~	j
)NL	JT^
["NMLJ
*NNGV6
NPju#[
n&,RH&7^
N@Rq0VQq
N)	tO3
O54<A/G
[O=58q
o5GL?d
O/7+C"
O/7+K"
o,A'Yv
O\/cP'>%
~o_d~o
[OD)WO
$oF) FT
Ofq{&#	
o=Fr>CA
ofV|Cyx
)?o|g+Sf`P#
	OI^2<
O\k<F)|
O_OVF-
OSnC	'
/#*o;T/
O:T&]i4o
O(T.L>T2\>
o`w?.`
O/W0M"
O`>x+`;
oZ8V.R
p8DVu9
/p9D<h
%P a%(
]&PAL)
P?a~"T
paz#BL<"
p^,C G
PF"psB"
PF"psB".<!J
p#g5`c
_[pGIw
P{iGPjg%G
P{iGPjgwG
P{iGPmgBR
].p^J)	t
PK2ysB(
PK3yQE(
PK4	QJ(
pKJ.*<2
pKnd	?#
PK$YPI(
PK!yPI(9tE2
PK!ysB(
PK.ysB(
PK)ysB(
PK$ysB(
PK.ysB(>6!Jv*K3
PK,ysB(.<!J
PLwXK.
$(,[P-m^
P^+M*^u
|'	P@MYRG
p;~P?>
P[)	sB(
PsTV@7
psz;Hy1@
puN	w^M
*Q.#:&
Q0OpE"
Q3QP[g
Q54?Zk
Q5kw*}
Q5<OQg	
q#\^8DU80i
Q8$Eu/
Q,.9^@2q>^TqR,N
q+9xKV
/\@-Q,a
-}Q+:CFH
qcn*o<
Q"]^G3
Q/]^G3$O@!1P
Q/]^G3$OO!1P
Q$[GV4F
qHCRW5
ql!&CL
Q,-m.G
@\qM,Ng
qN@Rq/
q>Q$C 
q^@RqN@Rq8
q^@Rq.@Rq
q^@Rq~@Rq0
q^@Rq>XTqR,N
+qSFQq
"QSFS{PO
qS>H'WYD
Q&U^K 
q{<w$B_fU
QXT7mM
+Q'|(Y
QzU;/T
 _r4fA
r4TW}C
R;%>^5
r5JlG!
_R60TR
R7CaG4~
R7CgGd~H
R7CjGD~I
R7CjGT~I
R8=p7D
R9{cG`~
R9{gG`~
R9{kG`~
R9{oG`~x
R9{oG`~X
	}Rbf\]
\["R;-Ca
`.rdata
rDB{2y
)rdG|X
[R{F9+	
&.-Rg;
(/|R)GD-(Gq
Rich!l
Ri^@RqN@Rq
rJ3fO<
r;^j+Yf
r;kfG"~
r;kfGr~
R;KmGT~{
R;KmGT~y
RM]0V[v
rOp0=l
roSZ!N
RpA\Vc
$rpWB*
rQ$EGa
@Rq=,N_
^@RqNPVq
^@RqN@Qq8
^@RqN@Rq
^@RqN@Rq>
^@RqN@Rq0FQq
^@RqN@Rq0VQ
^@RqN@Rq6VUqR,
^@RqN@Rq8
^@Rq>P\q
"&^@Rq^@Pq8
^@Rq^@Rq
^@Rq.@Rq
^@Rq~@Rq0
^@Rq>@Rq2fUq",
^@Rq^@RqN
^@Rq^@RqNPWq0n
^@Rq^@RqN@Zq
^@Rq^@Rq>P\q
^@Rq^@Rq>@^q5;>
^@Rq^@Rq.@[q5
^@Rq^@Rq>^TqB,N
@Rq:V9F
{RqyhS
@RqYXN%^@
^@Rq^@Zq^@B
%Rr1fDB$4
=rr98[Z
r|RiGt
r,Rr1j$
RsfR@9&
r#+UqPP
ruzlG4~
ruzlG5~
ruzlG6~
ruzlG7~
R]vpEF
r$~YSx
(*>@`S
S]5l&=?
s6A"-OS,
S\+`Cn>B
s`d[be
sEZfh$*
?s-Gt~y
/}S^HDWCF
SI%J49d
SI.	SE34QE&
	SJJmS
%S^L&T
~)sO>&
<=SP:v
|s#{qO
st;bpq	as
st;fkinas
st;qkr_m
;_Su{g
Su$K8]X
	sUk@z- _C
suN	wNV
Su pWp_
sU[Vf3p
sV;+M4-t
sxkr9O
t1MMTq
T54/KkLL`gv*~g
T5NKNJ
}"	t@5P
T7FkJsB$
T86;N#l 
t~8Gt~(Gt~(Gt~(Gt~(Gt~(G
t9t-M07m
t!ast;
ta\Uu40
*T%C\^LTN
TE)G[E
TE)G\E
TE)GfE
TE)GPE
TE)GYE
t}E(<M
Tg	tB+
tgWl!#
t~HGt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(GD~(GyR)
!This program cannot be run in DOS mode.
t;`ibjb
T?jgx^y
t#k>L(
t+LR?l
t:mza:m
t:mza*m
T#N59d
TP29~1k>
TpgMb@
:tq-G<~
tq-GD~
[Tu#g~
T=U\XS!
tvCO_o
%T-VmTU
TW@Er+J
{.t~XGt~(Gt~(Gt~(Gt~(Gt~(Gt~*Gt~8Gt~(Gt~(Gt~(Gt~(Gt~(F
{.t~XGt~(Gt~(Gt~(Gt~(Gt~(Gt~-Gt~8Gt~(Gt~(Gt~(Gt~(Gt~(G
{.t~XGt~(Gt~(Gt~(Gt~(Gt~(Gt~+Gt~8Gt~(Gt~(Gt~(Gt~(Gt~(G
{.t~XGt~(Gt~(Gt~(Gt~(Gt~(Gt~'Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(G
[t{xxp
TY9B*n
,	T<Y/tVI>
%%U19d
U1F=(M2$
U&3L)M
+U3Vgi
;U7#6r
u9t/MG,u
>UaNmr
.=|?~UCr
UFra@*z
UiFN,MFM
UiIt.M1*}
uJ(%eC
uljM{N
|uL&paJ
]'US$5q
UsB#DV vCW
user32.dll
u&t~H&t~(Gt~(Gt~(Gt~(Gt~(Gt~/Gt~8Gt~(Gt~(Gt~(Gt~(Gt~(G
u&t~H&t~(Gt~(Gt~(Gt~(Gt~(Gt~'Gt~(Gt~(Gt~(Gt~(Gt~(Gt~(F
UT"J9,#
]uUJ"kj%G
uwV&H=R
 uyD-r
U=#:Z1,9X=
V$1#V<a#V<
V4GWE#2O(M&
#V<4#V%1#V<1#V<18R<1#
V$5*Eg
V5RL@%U
V7L*+1#6<
=(~VBS
V$%*Eg
{v/]f>
vf@F^}^
V~(Fl$*2q
*`vFw_
Vjl,EM
V{KnCWp='d
^&V^L"T
VMz1bEoH
VmzfH}*
%VnURor+
[v_oMa
]VOT5&
VOT}Y\
V$Q^G 4
V$	t@4
Vt<8!d
VUAl{|?
V$u*Eg
V$U*Eg
V$u*EgNOiJ
V$U*EgY^jg
)VVa*P
)VVq*s
VWeX%A
VWF@!$
VWO"!w	Qdg
vW<|yWE
w^+3OH1
W(41FkIKogU3ng
W5X^I)PLMgXN
W*9tE*
WA2pSoQ
WaDV}"
WBS0_O
W]/Bv*
WCQ^\J
W\CxSdQ
WCy>]KS
Wdx%DF
W^EffIp#
WEQPJJC
WF;nmO
WGQ($IS}fO
/`w'&`h
WH3#;i
(W';?'I
WJBd~O
Wm d3{#Kj
W@>NW_
WN''#y
'wO8oL
$Wo*h0
'WR# F49d
W*{sB*
W\SYSJ9
:WT8Cl
W*)tE*0
w-T>=s
wv@Gn^^
W@>VW/
W@>^W/
W@>*W/
WWQ>@w
Wysu}o
??*:x<
X1#V<A#R<
XAaP;bq
XAbr;~
^x<Ag`
~x/|>$G
~x/|} G
xHb48g)
%X*HecC
xh"z#w
xm%va0)
X[O6#=
XP	{C$
xpfE	i
xP"~#w
[*X@Qy
xR&9{#
|XrFI9
_;X@ST
~x/|t,G
xV7}O+
X,.x^@2q^@Rq~
!x#xFH
// ).y
#\\y)\
Y[])(<:
y3q1~3U)RFM
y3q1q3u)R^m-\UL&PAJ
y[%;49d
y7Q\$"
Y9%lY9E
Y\a8Y\a
yaBp}W
ya:m:a:m
`Y|bN+
(|+!ye@
:YE&>t
YG@-IB@(
YG@MYB@K;
YG@MYG@
YG@MYL@
YG@-YG@
YG@-YG@F
~YGZ~DG
~@Y	IcI7
yJ8|u8H
y~j$$A7
[yJyC^
Y|lco9)g$
@ylXG[
Y!%#OU
Yrc_ORc
yS89$n
ySFSB-O
yS/Q]t
Y.t?L+
|+yV{a	
yVfGJZ
Y"W^A+
	Y(W^L>T
Z3,OQg
~Z=BQ!
Zby>!<
Z!Euc[
@Z Fq'q
#Z<'I5
Z&I^Zg
zJPPK0z
ZM$Ate
?.Zmi+
z- NA,
zqSA9T
z_rb3`
ZRky(8gv>ZTK>M\]Z<<K
Zrvy(8gv>ZTK>M\]Z?<K
zSnH<WmM
ZS_!XR
ztqmGD~
ztqmGq~
ztqmGt~
Z(TX?\%
zuqmGD~
zUs=Rg
zv~hG{
zvqmGD~
z/	.Wd
zwqmGE~
zZYsj#'v