Analysis Date2015-01-14 13:24:17
MD5557eba9582f4a2f9a9fcc5ee0a402201
SHA1d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash3954c4aef54f0d738283e4a698cdb1bec835b640
IMPhash
AV360 Safeno_virus
AVAd-AwareTrojan.Obfus.3.Gen
AVAlwil (avast)VirLock-A:Win32:VirLock-A
AVArcabit (arcavir)Trojan.Obfus.3.Gen
AVAuthentiumW32/S-7136ec3b!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardTrojan.Obfus.3.Gen
AVCA (E-Trust Ino)Win32/Nabucur.A
AVCAT (quickheal)Ransom.VirLock.A2
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Obfus.3.Gen
AVEset (nod32)Win32/Virlock.G virus
AVFortinetW32/Agent.NCA
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Obfus.3.Gen
AVGrisoft (avg)Win32/Cryptor
AVIkarusVirus-Ransom.FileLocker
AVK7Virus ( 0040f99f1 )
AVKasperskyVirus.Win32.PolyRansom.a
AVMalwareBytesTrojan.VirLock
AVMcafeeTrojan-FFGO!557EBA9582F4
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.gen!A
AVMicroWorld (escan)Trojan.Obfus.3.Gen
AVRisingno_virus
AVSophosW32/VirRnsm-A
AVSymantecW32.Ransomlock.AO!inf
AVTrend MicroPE_FINALDO.F
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\kUIwAcgE.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\pOwQkIYA.bat
Creates FileC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\pOwQkIYA.bat
Creates ProcessC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\kUIwAcgE.bat" "C:\malware.exe""
Creates Process"C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"
Creates ProcessC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\SSssIkIE.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\SSssIkIE.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"

Creates ProcessC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\pEcwAUwM.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\pEcwAUwM.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\suYgMIkk.bat
Creates FileC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qqUQIEEY.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\suYgMIkk.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\qqUQIEEY.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\huccUcEg.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\huccUcEg.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\kkckwcAY.bat
Creates FileC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\kkckwcAY.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\huccUcEg.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\lUMsQAQs.bat
Creates FileC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\lUkccgYo.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\lUMsQAQs.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\lUkccgYo.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\uuQMEwoM.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xioUsAMw.bat
Creates FileC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\xioUsAMw.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\uuQMEwoM.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"

Creates ProcessC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Process
↳ "C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"

Creates ProcessC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"

Creates ProcessC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Process
↳ C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\pEcwAUwM.bat
Creates FileC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\VokEEEoM.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\VokEEEoM.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\pEcwAUwM.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rakQcQIc.bat
Creates FileC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\SSssIkIE.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\rakQcQIc.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\SSssIkIE.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\uuQMEwoM.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\uuQMEwoM.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\lUkccgYo.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\lUkccgYo.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\CQwMgMEE.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aqIAUkEY.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\CQwMgMEE.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\aqIAUkEY.bat" "C:\malware.exe""
Creates Process"C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"

Creates ProcessC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\pEkwMcck.bat
Creates FileC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\VaYIYgEY.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\VaYIYgEY.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\pEkwMcck.bat" "C:\malware.exe""
Creates Process"C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\aqIAUkEY.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"

Creates ProcessC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"

Creates ProcessC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Process
↳ C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hawIQMAE.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\hawIQMAE.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\kUIwAcgE.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"

Creates ProcessC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Process
↳ "C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5"

Creates ProcessC:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileiYMw.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileQoYq.ico
Creates FileSokS.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileWcsa.ico
Creates FileWwcQ.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileuQgY.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FilekEwM.ico
Creates FileaUAq.ico
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\RCX5.tmp
Creates FileGMEk.exe
Creates FileKYQe.ico
Creates FileC:\RCX3.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.inf
Creates FileeEIA.exe
Creates FileassU.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileIYEI.ico
Creates FileC:\RCXF.tmp
Creates FileC:\RCX12.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FilePsMW.exe
Creates FileGAwA.exe
Creates FileyUYQ.ico
Creates FileeAIg.ico
Creates FileAkoM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates Fileoksm.exe
Creates FileC:\RCXD.tmp
Creates FiletAoI.ico
Creates FileMAAg.exe
Creates FileOEcQ.ico
Creates FileAEEO.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileiwgI.exe
Creates FileC:\RCX18.tmp
Creates FileyUwc.ico
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1.tmp
Creates FileCccU.ico
Creates FileC:\RCX6.tmp
Creates FilekgIU.ico
Creates FileC:\RCXE.tmp
Creates FileC:\RCXA.tmp
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileWIAQ.exe
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileQsEe.ico
Creates FileC:\RCXC.tmp
Creates FileC:\RCX19.tmp
Creates FilefAgk.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\RCX1C.tmp
Creates FilemEQg.ico
Creates FileCIQi.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FileeMgu.exe
Creates FileC:\RCX1A.tmp
Creates FileCQME.ico
Creates FileSsEC.exe
Creates Fileescq.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FilePIPE\wkssvc
Creates FileC:\RCX8.tmp
Creates FilegUQI.exe
Creates FileWsgg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileKYQW.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileMsMq.exe
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileGkEk.exe
Creates FileeUsi.exe
Creates FileUcQc.ico
Creates FileC:\RCX16.tmp
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileOwUi.exe
Creates FileC:\RCX17.tmp
Creates FilemEQm.exe
Creates FileqMgI.exe
Creates FileOgkA.exe
Creates FileC:\RCX4.tmp
Creates FilemEsq.exe
Creates FileukIg.exe
Creates FileOsIS.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileewUo.exe
Creates FileGcga.ico
Creates FileuEIg.ico
Creates FileGosC.ico
Creates FileqsAE.ico
Creates FileeEQk.exe
Deletes FileiYMw.exe
Deletes FileQoYq.ico
Deletes FileSokS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileWcsa.ico
Deletes FileWwcQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileuQgY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FilekEwM.ico
Deletes FileaUAq.ico
Deletes FileGMEk.exe
Deletes FileKYQe.ico
Deletes FileeEIA.exe
Deletes FileassU.ico
Deletes FileIYEI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FilePsMW.exe
Deletes FileGAwA.exe
Deletes FileyUYQ.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FileeAIg.ico
Deletes FileAkoM.ico
Deletes Fileoksm.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FiletAoI.ico
Deletes FileMAAg.exe
Deletes FileOEcQ.ico
Deletes FileAEEO.exe
Deletes FileiwgI.exe
Deletes FileyUwc.ico
Deletes FileCccU.ico
Deletes FilekgIU.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileWIAQ.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileQsEe.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FilefAgk.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FilemEQg.ico
Deletes FileCIQi.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileeMgu.exe
Deletes FileCQME.ico
Deletes FileSsEC.exe
Deletes Fileescq.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FilegUQI.exe
Deletes FileWsgg.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileKYQW.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileMsMq.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileGkEk.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileeUsi.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileUcQc.ico
Deletes FileOwUi.exe
Deletes FileqMgI.exe
Deletes FilemEQm.exe
Deletes FileOgkA.exe
Deletes FileukIg.exe
Deletes FilemEsq.exe
Deletes FileOsIS.ico
Deletes FileGcga.ico
Deletes FileuEIg.ico
Deletes FileewUo.exe
Deletes FileGosC.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileeEQk.exe
Deletes FileqsAE.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.inf
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates File\Device\Afd\Endpoint
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.inf
Creates ProcessC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates Processtaskkill /FI "USERNAME eq Administrator" /F /IM VyAMAMkQ.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\qqUQIEEY.bat" "C:\malware.exe""

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ C:\d584f75cf1b182a97bf19db34fc5bb67ba0208b5

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\pEkwMcck.bat" "C:\malware.exe""

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ taskkill /FI "USERNAME eq Administrator" /F /IM VyAMAMkQ.exe

Creates FilePIPE\lsarpc

Network Details:

DNSgoogle.com
Type: A
173.194.125.65
DNSgoogle.com
Type: A
173.194.125.66
DNSgoogle.com
Type: A
173.194.125.67
DNSgoogle.com
Type: A
173.194.125.68
DNSgoogle.com
Type: A
173.194.125.69
DNSgoogle.com
Type: A
173.194.125.70
DNSgoogle.com
Type: A
173.194.125.71
DNSgoogle.com
Type: A
173.194.125.72
DNSgoogle.com
Type: A
173.194.125.73
DNSgoogle.com
Type: A
173.194.125.78
DNSgoogle.com
Type: A
173.194.125.64
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1032 ➝ 173.194.125.65:80
Flows TCP192.168.1.1:1033 ➝ 173.194.125.65:80
Flows TCP192.168.1.1:1034 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1035 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1036 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1037 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1038 ➝ 173.194.125.65:80
Flows TCP192.168.1.1:1039 ➝ 190.186.45.170:9999
Flows TCP192.168.1.1:1040 ➝ 190.186.45.170:9999
Flows TCP192.168.1.1:1041 ➝ 200.119.204.12:9999

Raw Pcap
0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .


Strings
..'
x..
..
.
.
R
..
.
.
...b
^MM..
.
.
.`..0
0
.
0
..
.
y
.
=
&.
 ..
x
`.
*`<)=`
;`0(;`
`0(;`0
`0+;`0
;`0(;`0
;`0(;`0(
(;`0(;`0
0(;`0(;
;`0(;`0(;`0(;`
(;05,l
(;`0(8
`0+8`0
0c>O0c
0Dua~93
0+;e2(;<5
0(;e3+;2
0~@v[{
:`1):`
$14GcC
(;15,l
216Ob\
2(;=5/fz
2c{[Or
[ 2M{ GH
>2	NW2
2<[U0Y5e
3+;35,
35	F<nc
(;35,mE
3cE8qM
3D[Kr;#
3D[KZ;#
3[Or9"
4[6h8Z6
4D[OZ;#
?4.v&4.v.4/v
>}5#,/
>}5#,\
>`5-:(3
(+5-(#5
({55(#5-(
+[&5+[6
]57`1+
>`5-:73
5<A6t=
(#5e*K4
(#5e*S4
5K$mu2|
(#5%(s5
(+5%(S5
5Vi2@B
5XMQ:BW
5;#yF;#
6+;`0(
+[65+[
+[65+[6
/[65.[6%.[6
+[65,N
?[6%>[6
+[6=*[6-)[6
+[6-([6-/[6
6 7IhA
6D[KZ;#r
}6( E&
+[6e,[6
[6E+[6
6I$J4I
6I$J>I
+[6M,[2
+[6M,[6
+[6M/[6
[6M$D65
6N4J%I
([6}(Q
+[6u,[6
+[6u([6u([6
6Vwb0=
7)>	9p
8`0(;`0
$8'`5-
8[Ox;#
[9)Jx;#
,ag'wKF
A	IP"`]
[ALy`P
~A$.WE
AZ?)}x
b3(;`0+
,b<*4e5
"Bc68q
bCJ[Or7"
B<|fA=#
~b'M|m#
b;r?L|M
}}BU_,
%;c0+:
%;c2(;`
=cA8W]
cE75`6
c|eA+~P
c&F6`$^6e&G
cg&}|v
CHG#rHG#rHG#rHG#rHG#r
<CT=}!
:C$;)Ur`
[D[4	R
,D6\4J<I
d6ph?W
D$7A{P;5
d~8pM/
_D8U*L
<"d9D~
?~d9DC
DC<	;~
D[*	D~
DHZkAm
;D[Kr;#
D)kx;#
-D[Or;#
D=PZq(
DxPrVe
D)[yoh,#
+;e2(;=
+;e2(;=5/
(;e3+;
(;e3+;<
(;e3+;?
(;e3+;<5
(;e3+;>5/
(;e3+;85
e3+;95/
)e}A87
EB5);t
"]EB8v
<eIte\
@	eme[
,E-`,n
,E=`,n2c	
E-o(n6c
EQ[Or+"
Eq%vHA
Eq%vHB
[F3/[F3'[
FA&tjv
.Fc88q
fd'wKF
F[Kf;#
fK-Q[Or<"
!F[KZ;#
%F[KZ;#
F[KZ;#
F[KZ;#r
(F{;#L
f?%LvE
F|_#rH
F#rHG#rz
<	fte\
f%u#x9
);G1)#y
.G4N4G6
=g5/=}1qbw@Y!
G"a>+=`
gf7);<
G#F}F#r%
(g{;#L
\h*@'/
HC#r|G
hg#GHs#jIG
hO_~xM
HX3PJ# 
h?'xZ%
I3`$n0j
>i5*7/
>i5*7z'5
I6I$J6
~!IfCD
!i(?Fz5
%i$,Fz5
i(H3I/H
%)~i"MxR1Us
i|oD6!
i|oF6!
i|oJ6!
i[Os5#
{I%q{I;ptG'
;j1(3|
J5c/D2
J8\7r1`P
JhD:H*
}/jL}.
}/jL}F
>k5-43'
>k5-4R
+K6M,\6
k,7fiT7
k+7fiU7
K8\7f%)
k$n>n,
]KRx0N
K;#Wx:#
k#x{1L
(;{;#L
&LcD84
lW'wKF
;lx{1ULrn
~;#M|+
?"M{$	
m0I&G6
M_48ua
MfJ9M~
_mgrc3
m)H5j$i
m)M5y/D
Mo[ wK
Mo['wK
Mo[[wK
Mo[$wK
Mo[ wKF
Mo['wKF
Mo[%wKFI
MXMQ:Cs
*|n["~
N0c>O0
:%+n?2
N6\4J8I
n`J7e8
NJm2LA
n$n>\*
.:nTH[
O29#rB
$O6\4J2I
[Oh';z
}Oildj/1
OL>DAv
[OLXi]
&o~On1f
Oo[$wK
>,or!j
/>[Os3#
o['wKF
oX'wKF
?oZ'wKF
%#-_!P
p$8'Q/
p#bPjlwL
}pGHscr
!P?hlv
	~P"Mz
p$n8n$G4O
#p,n?c
p{O#PZ
pQl>r>
\Psc%r
\Ps!$q
p,=`W-B]
PYp_,h
\PZ4~p
#PZ?bp
Q@55S[6
@q{G#r
q=}K!:
Q'^{<'[O
QrR"x=
Q-VA9-R
qxUAvd
q+zsPse
%r5-7!(
RA&Vv%
rD_4	=~
rDC 	}~
rDC"	;
#rHG#rHG#r
?rHG#rHG#rHG#rJG#
RHG;rHscs7G
R	hP@'
rHr#F}G#v|
Rich!4O
Rkk$qyX*gH
RppZPg
RtX5X"
[;#rx;#
S"`\57`1+
+s6])[6
s;#lxJ#
S:!(Z6
(=T3);
tD[,	|
t\H"a;
!This program cannot be run in DOS mode.
t~l'x=
tqA7~)
tQUK{QV
tZ0/s{
U8<:^y
UA	}Er+
uOMAWX]
u[Or,"
u#rHG#rHG#rHP#K
U;#tit
%|uVc~
U;#W/:#r
V-c$n4c
{!(Ve [0O
W8\7(%
W8HG#e
'wiy!q
w#KHG#rHG#rHG#eHz
WkQ<T}
W*`[s<
*)X1xl
X4o(n"n,n
\x51QyZ;#
\xE1HPF
X"f"$=`
XIF[6M,D65
XMQ:NE
X{/;p:
X'wKFy
XXMQ:Ba
x?#xr	
X>!!Xu
X'xx%(
y,1jx9
+Y6M,T6
y{<I~1/
y^q}|O&
=y$;#r{
-"y$;#r
yYhD:H$
#yZ;#r
\yZ;#rxE
#yZ;#ry
yZ;#rz
+Z1;ly%
Z9)X|`
ZDbxyC
ZDf#xW
ZDf,yn
zD%q;@
ZFbKz!gi{1
ZFbXzs
Z}grz	
(Z/Ro:
z-r>r1~
Z;#rxb
Z;#rxfa
Z xX`)I