HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.143250 (B) (Emsisoft), Trojan.MSIL.Bladabindi.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 9c376b9982d85233c3b3644765c1370d
SHA1: a24bb68107122564dfbe0c2df5b31455e50ef8ea
SHA256: 4f284f4ca76ebfcf6b5f587672556bc6d66237ddbbc49ad4621eafe3cf5d6943
SSDeep: 768:agTMFRhoYTqiv2TPdRvMsipGiVxLwsYD2eK/0m2aZ gz/KGBC6ajuqq:dTsRhoYuiSP0Jpz ib8m2 BdTqq
Size: 57856 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-16 10:49:19
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1936
netsh.exe:364
The Trojan injects its code into the following process(es):
%original file name%.exe:1280
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1280 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\spread.exe (57 bytes)
%System%\drivers\etc\hosts (222 bytes)
C:\autorun.inf (49 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe (399 bytes)
Registry activity
The process %original file name%.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 CE 1F BE BC 4F FB 14 AB 83 4F C2 2E CD 29 25"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:1280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 81 4A 57 13 A4 54 9E 78 6B 3E 31 93 68 75 BD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\ba4c12bee3027d94da5c81db2d196bfd]
"US" = "!"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ba4c12bee3027d94da5c81db2d196bfd" = "c:\%original file name%.exe .."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ba4c12bee3027d94da5c81db2d196bfd" = "c:\%original file name%.exe"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The process netsh.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 D7 FD EE 9C C2 34 22 83 EF 68 7B 84 63 B5 12"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "C:\%original file name%.exe:*:Enabled:%original file name%.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 956 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.virustotal.com |
127.0.0.1 | anubis.iseclab.org |
127.0.0.1 | www.virscan.org |
127.0.0.1 | virusscan.jotti.org |
127.0.0.1 | scanner.virus.org |
127.0.0.1 | scanner.novirusthanks.org |
127.0.0.1 | metascan-online.com |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1936
netsh.exe:364 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\spread.exe (57 bytes)
%System%\drivers\etc\hosts (222 bytes)
C:\autorun.inf (49 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe (399 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ba4c12bee3027d94da5c81db2d196bfd" = "c:\%original file name%.exe .."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ba4c12bee3027d94da5c81db2d196bfd" = "c:\%original file name%.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.1.7601.17514
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: EXPLORER.EXE
Internal Name: explorer
File Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
File Description: Windows Explorer
Comments:
Language: English (United States)
Company Name: Microsoft CorporationProduct Name: HD Player Product Version: 6.1.7601.17514Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: EXPLORER.EXEInternal Name: explorerFile Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)File Description: Windows ExplorerComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 26516 | 26624 | 3.81104 | a73aa2a150bdbf8793ea240b43e20cf4 |
.sdata | 40960 | 488 | 512 | 4.60142 | ba1a51c546597b8fdcb7d0154e4ab651 |
.rsrc | 49152 | 29076 | 29184 | 5.21438 | 8cb4f765d997f71a3a7455e8a3fc85c8 |
.reloc | 81920 | 12 | 512 | 0.056519 | 01942ce6d5fd164bddf4ac90fbc430e9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1280:
.text
.text
`.rsrc
`.rsrc
@.reloc
@.reloc
v2.0.50727
v2.0.50727
w.exe
w.exe
Microsoft.VisualBasic
Microsoft.VisualBasic
System.Windows.Forms
System.Windows.Forms
System.Drawing
System.Drawing
avicap32.dll
avicap32.dll
user32.dll
user32.dll
kernel32.dll
kernel32.dll
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.ApplicationServices
.ctor
.ctor
System.CodeDom.Compiler
System.CodeDom.Compiler
System.ComponentModel
System.ComponentModel
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.Devices
System.Diagnostics
System.Diagnostics
get_WebServices
get_WebServices
.cctor
.cctor
HelpKeywordAttribute
HelpKeywordAttribute
System.ComponentModel.Design
System.ComponentModel.Design
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.CompilerServices
MyWebServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Runtime.InteropServices
System.IO
System.IO
get_ExecutablePath
get_ExecutablePath
System.Collections
System.Collections
Operators
Operators
OperatingSystem
OperatingSystem
System.Text
System.Text
System.Collections.Generic
System.Collections.Generic
System.IO.Compression
System.IO.Compression
System.Threading
System.Threading
Microsoft.Win32
Microsoft.Win32
System.Reflection
System.Reflection
ProcessWindowStyle
ProcessWindowStyle
WebClient
WebClient
System.Net
System.Net
CopyPixelOperation
CopyPixelOperation
System.Drawing.Imaging
System.Drawing.Imaging
RegistryKey
RegistryKey
GetKey
GetKey
System.Net.Sockets
System.Net.Sockets
TcpClient
TcpClient
Microsoft.VisualBasic.MyServices
Microsoft.VisualBasic.MyServices
OpenSubKey
OpenSubKey
wVirtKey
wVirtKey
lpKeyState
lpKeyState
GetKeyboardState
GetKeyboardState
MapVirtualKey
MapVirtualKey
GetKeyboardLayout
GetKeyboardLayout
Keyboard
Keyboard
GetExecutingAssembly
GetExecutingAssembly
GetAsyncKeyState
GetAsyncKeyState
vKey
vKey
Keys
Keys
8.0.0.0
8.0.0.0
My.User
My.User
My.Application
My.Application
My.WebServices
My.WebServices
My.Computer
My.Computer
4System.Web.Services.Protocols.SoapHttpClientProtocol
4System.Web.Services.Protocols.SoapHttpClientProtocol
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
CreateSubKey
CreateSubKey
Windows
Windows
Mr.Wolf
Mr.Wolf
cmd.exe
cmd.exe
.^:-_`_:*^_^`-:-;^
.^:-_`_:*^_^`-:-;^
UseShellExecute
UseShellExecute
WindowStyle
WindowStyle
GetSubKeyNames
GetSubKeyNames
DeleteSubKeyTree
DeleteSubKeyTree
DeleteSubKey
DeleteSubKey
cmd.exe /k ping 0 & del "
cmd.exe /k ping 0 & del "
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
C:\Users\
C:\Users\
cports
cports
ProcessHacker
ProcessHacker
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
\autorun.inf
\autorun.inf
shellexecute=
shellexecute=
autorun.inf
autorun.inf
??/??/??
??/??/??
ShiftKeyDown
ShiftKeyDown
WScript.Shell
WScript.Shell
&explorer /root,"Ã%
&explorer /root,"Ã%
%SystemRoot%\system32\SHELL32.dll,3
%SystemRoot%\system32\SHELL32.dll,3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
%System%\drivers\etc\hosts
%System%\drivers\etc\hosts
127.0.0.1
127.0.0.1
VVV.virustotal.com
VVV.virustotal.com
anubis.iseclab.org
anubis.iseclab.org
VVV.virscan.org
VVV.virscan.org
virusscan.jotti.org
virusscan.jotti.org
scanner.virus.org
scanner.virus.org
scanner.novirusthanks.org
scanner.novirusthanks.org
metascan-online.com
metascan-online.com
\edonkey2000\incoming\
\edonkey2000\incoming\
%original file name%.exe_1280_rwx_00400000_00014000:
.text
.text
`.rsrc
`.rsrc
@.reloc
@.reloc
v2.0.50727
v2.0.50727
w.exe
w.exe
Microsoft.VisualBasic
Microsoft.VisualBasic
System.Windows.Forms
System.Windows.Forms
System.Drawing
System.Drawing
avicap32.dll
avicap32.dll
user32.dll
user32.dll
kernel32.dll
kernel32.dll
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.ApplicationServices
.ctor
.ctor
System.CodeDom.Compiler
System.CodeDom.Compiler
System.ComponentModel
System.ComponentModel
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.Devices
System.Diagnostics
System.Diagnostics
get_WebServices
get_WebServices
.cctor
.cctor
HelpKeywordAttribute
HelpKeywordAttribute
System.ComponentModel.Design
System.ComponentModel.Design
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.CompilerServices
MyWebServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Runtime.InteropServices
System.IO
System.IO
get_ExecutablePath
get_ExecutablePath
System.Collections
System.Collections
Operators
Operators
OperatingSystem
OperatingSystem
System.Text
System.Text
System.Collections.Generic
System.Collections.Generic
System.IO.Compression
System.IO.Compression
System.Threading
System.Threading
Microsoft.Win32
Microsoft.Win32
System.Reflection
System.Reflection
ProcessWindowStyle
ProcessWindowStyle
WebClient
WebClient
System.Net
System.Net
CopyPixelOperation
CopyPixelOperation
System.Drawing.Imaging
System.Drawing.Imaging
RegistryKey
RegistryKey
GetKey
GetKey
System.Net.Sockets
System.Net.Sockets
TcpClient
TcpClient
Microsoft.VisualBasic.MyServices
Microsoft.VisualBasic.MyServices
OpenSubKey
OpenSubKey
wVirtKey
wVirtKey
lpKeyState
lpKeyState
GetKeyboardState
GetKeyboardState
MapVirtualKey
MapVirtualKey
GetKeyboardLayout
GetKeyboardLayout
Keyboard
Keyboard
GetExecutingAssembly
GetExecutingAssembly
GetAsyncKeyState
GetAsyncKeyState
vKey
vKey
Keys
Keys
8.0.0.0
8.0.0.0
My.User
My.User
My.Application
My.Application
My.WebServices
My.WebServices
My.Computer
My.Computer
4System.Web.Services.Protocols.SoapHttpClientProtocol
4System.Web.Services.Protocols.SoapHttpClientProtocol
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
CreateSubKey
CreateSubKey
Windows
Windows
Mr.Wolf
Mr.Wolf
cmd.exe
cmd.exe
.^:-_`_:*^_^`-:-;^
.^:-_`_:*^_^`-:-;^
UseShellExecute
UseShellExecute
WindowStyle
WindowStyle
GetSubKeyNames
GetSubKeyNames
DeleteSubKeyTree
DeleteSubKeyTree
DeleteSubKey
DeleteSubKey
cmd.exe /k ping 0 & del "
cmd.exe /k ping 0 & del "
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
C:\Users\
C:\Users\
cports
cports
ProcessHacker
ProcessHacker
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
\autorun.inf
\autorun.inf
shellexecute=
shellexecute=
autorun.inf
autorun.inf
??/??/??
??/??/??
ShiftKeyDown
ShiftKeyDown
WScript.Shell
WScript.Shell
&explorer /root,"Ã%
&explorer /root,"Ã%
%SystemRoot%\system32\SHELL32.dll,3
%SystemRoot%\system32\SHELL32.dll,3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
%System%\drivers\etc\hosts
%System%\drivers\etc\hosts
127.0.0.1
127.0.0.1
VVV.virustotal.com
VVV.virustotal.com
anubis.iseclab.org
anubis.iseclab.org
VVV.virscan.org
VVV.virscan.org
virusscan.jotti.org
virusscan.jotti.org
scanner.virus.org
scanner.virus.org
scanner.novirusthanks.org
scanner.novirusthanks.org
metascan-online.com
metascan-online.com
\edonkey2000\incoming\
\edonkey2000\incoming\
%original file name%.exe_1280_rwx_675A6000_00003000:
.Qg
.Qg
*Rg`.Rg|)RgL Rg
*Rg`.Rg|)RgL Rg