Skip to main content

Worm.Win32.AutoIt_a7db38c70b


Trojan.Win32.Autoit.bol (Kaspersky), Trojan.Agent.a (VIPRE), Trojan.KeyLogger.14854 (DrWeb), Artemis!A7DB38C70B00 (McAfee), WS.Reputation.1 (Symantec), Luhe.Cryptic.F (AVG), Win32:Malware-gen (Avast), Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, WormAutoItGen.YR, GenericInjector.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: a7db38c70b004da80c55fc88cea0998f

SHA1: 42cd13c09354357d47a778a9ae01157c62ffdb7d

SHA256: 43bdc9a0ad37c048c74a0b5c1214accc60a1920a5aac72637c4476470bb543f6

SSDeep: 49152:b7Tewhjcsw3QrN6uY440qSRxab1Sj6j5iOBc5:FhA/wNkJaYjj5iOG

Size: 2013696 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2013-02-17 09:00:50

Analyzed on: WindowsXP SP3 32-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

UYHNN.exe:1200
WScript.exe:3544
Setup.exe:2904
%original file name%.exe:2660

The Worm injects its code into the following process(es):

UYHNN.exe:1176
Glückskeks.exe:532
glueckskeks_.exe:1136

File activity

The process UYHNN.exe:1200 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\GRAMC\UCHWICJA.dat (28 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\GRAMC\UCHWICJA.dat (0 bytes)

The process Glückskeks.exe:532 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%WinDir%\jestertb.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\jesterrun0.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gluecks-keks.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\glueckskeks_.exe (15685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\content.xml (5 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gluecks-keks.ini (0 bytes)

The process glueckskeks_.exe:1136 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sxx (190 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (634 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\localhost\glueckskeks.sxx (130 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\localhost\glueckskeks.sol (0 bytes)

The process Setup.exe:2904 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\GRAMC\44104.QFH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\L78955.ELI (6 bytes)
%Documents and Settings%\%current user%\GRAMC\X93095.QXT (6 bytes)
%Documents and Settings%\%current user%\GRAMC\M2904.YMS (5 bytes)
%Documents and Settings%\%current user%\GRAMC\87769.DMY (5 bytes)
%Documents and Settings%\%current user%\GRAMC\56118.BXO (5 bytes)
%Documents and Settings%\%current user%\GRAMC\65328.SVB (5 bytes)
%Documents and Settings%\%current user%\GRAMC\F9133.XUM (5 bytes)
%Documents and Settings%\%current user%\GRAMC\49919.CQW (5 bytes)
%Documents and Settings%\%current user%\GRAMC\76468.LIR (5 bytes)
%Documents and Settings%\%current user%\GRAMC\P42457.FRK (6 bytes)
%Documents and Settings%\%current user%\GRAMC\94805.TVK (5 bytes)
%Documents and Settings%\%current user%\GRAMC\C78261.LVR (6 bytes)
%Documents and Settings%\%current user%\GRAMC\X39591.JRC (6 bytes)
%Documents and Settings%\%current user%\GRAMC\29140.RWE (5 bytes)
%Documents and Settings%\%current user%\GRAMC\J63945.URS (6 bytes)
%Documents and Settings%\%current user%\GRAMC\94500.JAC (5 bytes)
%Documents and Settings%\%current user%\GRAMC\G37319.NBD (6 bytes)
%Documents and Settings%\%current user%\GRAMC\B54971.ZUS (6 bytes)
%Documents and Settings%\%current user%\GRAMC\C26136.RFP (6 bytes)
%Documents and Settings%\%current user%\GRAMC\67605.EEZ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\O13366.RRI (6 bytes)
%Documents and Settings%\%current user%\GRAMC\69828.QYJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\32195.HHN (5 bytes)
%Documents and Settings%\%current user%\GRAMC\19128.HOH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\51711.TPB (5 bytes)
%Documents and Settings%\%current user%\GRAMC\C10483.WYR (6 bytes)
%Documents and Settings%\%current user%\GRAMC\32290.XRA (5 bytes)
%Documents and Settings%\%current user%\GRAMC\77453.NLK (5 bytes)
%Documents and Settings%\%current user%\GRAMC\37511.SYU (5 bytes)
%Documents and Settings%\%current user%\GRAMC\19803.FAK (5 bytes)
%Documents and Settings%\%current user%\GRAMC\90563.CVH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\30137.JXT (5 bytes)
%Documents and Settings%\%current user%\GRAMC\29052.EJQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\G9087.NDA (5 bytes)
%Documents and Settings%\%current user%\GRAMC\50300.KVL (5 bytes)
%Documents and Settings%\%current user%\GRAMC\S32247.GVZ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\68915.RNC (5 bytes)
%Documents and Settings%\%current user%\GRAMC\68966.TQF (5 bytes)
%Documents and Settings%\%current user%\GRAMC\B98382.MGH (6 bytes)
%Documents and Settings%\%current user%\GRAMC\E57479.RJZ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\D47214.DKA (6 bytes)
%Documents and Settings%\%current user%\GRAMC\V17066.AIE (6 bytes)
%Documents and Settings%\%current user%\GRAMC\U60388.JTC (6 bytes)
%Documents and Settings%\%current user%\GRAMC\M6365.JVQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\72866.XHD (5 bytes)
%Documents and Settings%\%current user%\GRAMC\A68019.LDW (6 bytes)
%Documents and Settings%\%current user%\GRAMC\T15969.BLB (6 bytes)
%Documents and Settings%\%current user%\GRAMC\19806.SQR (5 bytes)
%Documents and Settings%\%current user%\GRAMC\A11712.QEY (6 bytes)
%Documents and Settings%\%current user%\GRAMC\O97735.DLS (6 bytes)
%Documents and Settings%\%current user%\GRAMC\G85915.WGX (6 bytes)
%Documents and Settings%\%current user%\GRAMC\P21430.OHV (6 bytes)
%Documents and Settings%\%current user%\GRAMC\15902.CMD (5 bytes)
%Documents and Settings%\%current user%\GRAMC\36949.SMJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\D96394.MQP (6 bytes)
%Documents and Settings%\%current user%\GRAMC\Z54279.UTZ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\437397.BMA (15801 bytes)
%Documents and Settings%\%current user%\GRAMC\A91663.IFP (6 bytes)
%Documents and Settings%\%current user%\GRAMC\31316.PYO (5 bytes)
%Documents and Settings%\%current user%\GRAMC\H65378.TXK (6 bytes)
%Documents and Settings%\%current user%\GRAMC\20639.UHP (5 bytes)
%Documents and Settings%\%current user%\GRAMC\F79315.EZO (6 bytes)
%Documents and Settings%\%current user%\GRAMC\H12669.GDI (6 bytes)
%Documents and Settings%\%current user%\GRAMC\72534.MMV (5 bytes)
%Documents and Settings%\%current user%\GRAMC\33004.KBK (5 bytes)
%Documents and Settings%\%current user%\GRAMC\58382.BGP (5 bytes)
%Documents and Settings%\%current user%\GRAMC\Y71487.OIJ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\U19947.BDE (6 bytes)
%Documents and Settings%\%current user%\GRAMC\B31039.JAI (6 bytes)
%Documents and Settings%\%current user%\GRAMC\50683.UQT (5 bytes)
%Documents and Settings%\%current user%\GRAMC\X51295.FUU (6 bytes)
%Documents and Settings%\%current user%\GRAMC\A61182.QXY (6 bytes)
%Documents and Settings%\%current user%\GRAMC\8309.AXM (4 bytes)
%Documents and Settings%\%current user%\GRAMC\K97361.YAZ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\W62590.KAB (6 bytes)
%Documents and Settings%\%current user%\GRAMC\K30749.POM (6 bytes)
%Documents and Settings%\%current user%\GRAMC\2923.GVX (4 bytes)
%Documents and Settings%\%current user%\GRAMC\90236.ETO (5 bytes)
%Documents and Settings%\%current user%\GRAMC\K88237.HQH (6 bytes)
%Documents and Settings%\%current user%\GRAMC\64674.YVS (5 bytes)
%Documents and Settings%\%current user%\GRAMC\41384.TTW (5 bytes)
%Documents and Settings%\%current user%\GRAMC\86816.DXK (5 bytes)
%Documents and Settings%\%current user%\GRAMC\R24236.IJB (6 bytes)
%Documents and Settings%\%current user%\GRAMC\G26276.MLO (6 bytes)
%Documents and Settings%\%current user%\GRAMC\E41579.ZKF (6 bytes)
%Documents and Settings%\%current user%\GRAMC\P3800.SKU (5 bytes)
%Documents and Settings%\%current user%\GRAMC\55476.MVU (5 bytes)
%Documents and Settings%\%current user%\GRAMC\C71269.PXI (6 bytes)
%Documents and Settings%\%current user%\GRAMC\I66214.OQL (6 bytes)
%Documents and Settings%\%current user%\GRAMC\V36524.QRS (6 bytes)
%Documents and Settings%\%current user%\GRAMC\41243.UTI (5 bytes)
%Documents and Settings%\%current user%\GRAMC\50066.GAY (5 bytes)
%Documents and Settings%\%current user%\GRAMC\W53991.LAY (6 bytes)
%Documents and Settings%\%current user%\GRAMC\72038.MRI (5 bytes)
%Documents and Settings%\%current user%\GRAMC\L18279.RIA (6 bytes)
%Documents and Settings%\%current user%\GRAMC\67455.VQP (5 bytes)
%Documents and Settings%\%current user%\GRAMC\I46094.YIL (6 bytes)
%Documents and Settings%\%current user%\GRAMC\H88450.DYD (6 bytes)
%Documents and Settings%\%current user%\GRAMC\Y32192.DBS (6 bytes)
%Documents and Settings%\%current user%\GRAMC\2326.WEY (4 bytes)
%Documents and Settings%\%current user%\GRAMC\M27909.JFB (6 bytes)
%Documents and Settings%\%current user%\GRAMC\J96236.PWQ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\D2396.NSA (5 bytes)
%Documents and Settings%\%current user%\GRAMC\10181.AAW (5 bytes)
%Documents and Settings%\%current user%\GRAMC\Y55224.CQN (6 bytes)
%Documents and Settings%\%current user%\GRAMC\D58525.LYQ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\34167.WPV (5 bytes)
%Documents and Settings%\%current user%\GRAMC\7759.ZYA (4 bytes)
%Documents and Settings%\%current user%\GRAMC\E72740.EDA (6 bytes)
%Documents and Settings%\%current user%\GRAMC\O32351.BXO (6 bytes)
%Documents and Settings%\%current user%\GRAMC\75815.IMW (5 bytes)
%Documents and Settings%\%current user%\GRAMC\45041.VDQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\47812.ROL (5 bytes)
%Documents and Settings%\%current user%\GRAMC\44079.OYU (5 bytes)
%Documents and Settings%\%current user%\GRAMC\X45265.DOY (6 bytes)
%Documents and Settings%\%current user%\GRAMC\95930.QVQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\59083.MQI (5 bytes)
%Documents and Settings%\%current user%\GRAMC\45490.TOJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\O37916.NVV (6 bytes)
%Documents and Settings%\%current user%\GRAMC\6476.UUE (4 bytes)
%Documents and Settings%\%current user%\GRAMC\11798.EAC (5 bytes)
%Documents and Settings%\%current user%\GRAMC\37435.LHD (5 bytes)
%Documents and Settings%\%current user%\GRAMC\11451.XZP (5 bytes)
%Documents and Settings%\%current user%\GRAMC\B22451.JRW (6 bytes)
%Documents and Settings%\%current user%\GRAMC\D81245.UAW (6 bytes)
%Documents and Settings%\%current user%\GRAMC\S3054.BQK (5 bytes)
%Documents and Settings%\%current user%\GRAMC\R19069.IDO (6 bytes)
%Documents and Settings%\%current user%\GRAMC\54756.FIM (5 bytes)
%Documents and Settings%\%current user%\GRAMC\K29958.DJM (6 bytes)
%Documents and Settings%\%current user%\GRAMC\T3915.AKD (5 bytes)
%Documents and Settings%\%current user%\GRAMC\D58809.CMN (6 bytes)
%Documents and Settings%\%current user%\GRAMC\63047.HXQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\R13673.GYB (6 bytes)
%Documents and Settings%\%current user%\GRAMC\53053.DDH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\19164.JCF (5 bytes)
%Documents and Settings%\%current user%\GRAMC\V10781.YNB (6 bytes)
%Documents and Settings%\%current user%\GRAMC\85718.KJH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\Y93913.VPS (6 bytes)
%Documents and Settings%\%current user%\GRAMC\H43972.GGO (6 bytes)
%Documents and Settings%\%current user%\GRAMC\D41086.GPX (6 bytes)
%Documents and Settings%\%current user%\GRAMC\K10114.PBI (6 bytes)
%Documents and Settings%\%current user%\GRAMC\R7090.NJJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\22893.SRH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\41087.SIV (5 bytes)
%Documents and Settings%\%current user%\GRAMC\B51374.OFV (6 bytes)
%Documents and Settings%\%current user%\GRAMC\68117.AHP (5 bytes)
%Documents and Settings%\%current user%\GRAMC\A65036.LPC (6 bytes)
%Documents and Settings%\%current user%\GRAMC\H74893.OCG (6 bytes)
%Documents and Settings%\%current user%\GRAMC\G43208.IVB (6 bytes)
%Documents and Settings%\%current user%\GRAMC\53348.GFT (5 bytes)
%Documents and Settings%\%current user%\GRAMC\25232.ETB (5 bytes)
%Documents and Settings%\%current user%\GRAMC\36196.HOV (5 bytes)
%Documents and Settings%\%current user%\GRAMC\A98639.WDE (6 bytes)
%Documents and Settings%\%current user%\GRAMC\D50467.YGY (6 bytes)
%Documents and Settings%\%current user%\GRAMC\16845.QMV (5 bytes)
%Documents and Settings%\%current user%\GRAMC\98697.VBO (5 bytes)
%Documents and Settings%\%current user%\GRAMC\K65187.KPR (6 bytes)
%Documents and Settings%\%current user%\GRAMC\R64438.HJD (6 bytes)
%Documents and Settings%\%current user%\GRAMC\C67018.XSG (6 bytes)
%Documents and Settings%\%current user%\GRAMC\UYHNN.exe (15361 bytes)
%Documents and Settings%\%current user%\GRAMC\I91765.ATZ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\I4965.BSZ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\3299.OBS (4 bytes)
%Documents and Settings%\%current user%\GRAMC\C81349.WFB (6 bytes)
%Documents and Settings%\%current user%\GRAMC\W15229.UGL (6 bytes)
%Documents and Settings%\%current user%\GRAMC\79529.CZQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\N95618.QGD (6 bytes)
%Documents and Settings%\%current user%\GRAMC\W49788.CLE (6 bytes)
%Documents and Settings%\%current user%\GRAMC\89855.HBP (5 bytes)
%Documents and Settings%\%current user%\GRAMC\75599.KJH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\18090.SGR (5 bytes)
%Documents and Settings%\%current user%\GRAMC\48645.UCG (5 bytes)
%Documents and Settings%\%current user%\GRAMC\16604.RRS (5 bytes)
%Documents and Settings%\%current user%\GRAMC\63157.KIA (5 bytes)
%Documents and Settings%\%current user%\GRAMC\N79446.GIY (6 bytes)
%Documents and Settings%\%current user%\GRAMC\A84994.AVM (6 bytes)
%Documents and Settings%\%current user%\GRAMC\32370.FNT (5 bytes)
%Documents and Settings%\%current user%\GRAMC\1832.QZK (4 bytes)
%Documents and Settings%\%current user%\GRAMC\R18417.VON (6 bytes)
%Documents and Settings%\%current user%\GRAMC\55842.SPG (5 bytes)
%Documents and Settings%\%current user%\GRAMC\N39488.HLL (6 bytes)
%Documents and Settings%\%current user%\GRAMC\M42175.GLD (6 bytes)
%Documents and Settings%\%current user%\GRAMC\X81310.EZS (6 bytes)
%Documents and Settings%\%current user%\GRAMC\S2315.HSM (5 bytes)
%Documents and Settings%\%current user%\GRAMC\73049.HNW (5 bytes)
%Documents and Settings%\%current user%\GRAMC\20366.NVB (5 bytes)
%Documents and Settings%\%current user%\GRAMC\34189.YCC (5 bytes)
%Documents and Settings%\%current user%\GRAMC\47871.GPR (5 bytes)
%Documents and Settings%\%current user%\GRAMC\39198.BLJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\E24319.ZWF (6 bytes)
%Documents and Settings%\%current user%\GRAMC\8365.CIX (4 bytes)
%Documents and Settings%\%current user%\GRAMC\50472.ULJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\74752.KNO (5 bytes)
%Documents and Settings%\%current user%\GRAMC\95788.BTS (5 bytes)
%Documents and Settings%\%current user%\GRAMC\41601.ZFE (5 bytes)
%Documents and Settings%\%current user%\GRAMC\35336.TVR (5 bytes)
%Documents and Settings%\%current user%\GRAMC\F90272.BNS (6 bytes)
%Documents and Settings%\%current user%\GRAMC\51773.YGN (5 bytes)
%Documents and Settings%\%current user%\GRAMC\K88258.HKF (6 bytes)
%Documents and Settings%\%current user%\GRAMC\78219.QLX (5 bytes)
%Documents and Settings%\%current user%\GRAMC\50565.BJU (5 bytes)
%Documents and Settings%\%current user%\GRAMC\76369.VDH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\22483.NRG (5 bytes)
%Documents and Settings%\%current user%\GRAMC\Y22929.FFA (6 bytes)
%Documents and Settings%\%current user%\GRAMC\Y52730.UJP (6 bytes)
%Documents and Settings%\%current user%\GRAMC\59659.KLB (5 bytes)
%Documents and Settings%\%current user%\GRAMC\1235.KOU (4 bytes)
%Documents and Settings%\%current user%\GRAMC\27388.NNR (5 bytes)
%Documents and Settings%\%current user%\GRAMC\58331.OQR (5 bytes)
%Documents and Settings%\%current user%\GRAMC\H77659.TNC (6 bytes)
%Documents and Settings%\%current user%\GRAMC\91251.MVN (5 bytes)
%Documents and Settings%\%current user%\GRAMC\S90094.NTT (6 bytes)
%Documents and Settings%\%current user%\GRAMC\V88506.PYM (6 bytes)
%Documents and Settings%\%current user%\GRAMC\2188.ACK (4 bytes)
%Documents and Settings%\%current user%\GRAMC\99794.SWA (5 bytes)
%Documents and Settings%\%current user%\GRAMC\I20080.HTJ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\P50714.ILR (6 bytes)
%Documents and Settings%\%current user%\GRAMC\E33199.FUQ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\Y95034.TUF (6 bytes)
%Documents and Settings%\%current user%\GRAMC\Y72305.IXY (6 bytes)
%Documents and Settings%\%current user%\GRAMC\68044.RJQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\4177.WSE (4 bytes)
%Documents and Settings%\%current user%\GRAMC\11147.FLO (5 bytes)
%Documents and Settings%\%current user%\GRAMC\B22640.WGL (6 bytes)
%Documents and Settings%\%current user%\GRAMC\85727.OJY (5 bytes)
%Documents and Settings%\%current user%\GRAMC\M37366.BAH (6 bytes)
%Documents and Settings%\%current user%\GRAMC\51380.RKI (5 bytes)
%Documents and Settings%\%current user%\GRAMC\17277.JGW (5 bytes)
%Documents and Settings%\%current user%\GRAMC\54140.KVT (5 bytes)
%Documents and Settings%\%current user%\GRAMC\P86721.XIR (6 bytes)
%Documents and Settings%\%current user%\GRAMC\N70831.ENG (6 bytes)
%Documents and Settings%\%current user%\GRAMC\21788.CZL (5 bytes)
%Documents and Settings%\%current user%\GRAMC\4320.YZJ (4 bytes)
%Documents and Settings%\%current user%\GRAMC\R88912.AQX (6 bytes)
%Documents and Settings%\%current user%\GRAMC\98001.ZSQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\A25580.TGG (6 bytes)
%Documents and Settings%\%current user%\GRAMC\H93859.QNL (6 bytes)
%Documents and Settings%\%current user%\GRAMC\J35677.ITG (6 bytes)
%Documents and Settings%\%current user%\GRAMC\91870.SDJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\D4257.ROZ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\3285.LID (4 bytes)
%Documents and Settings%\%current user%\GRAMC\33433.QPZ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\P9534.LNJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\22217.AOD (5 bytes)
%Documents and Settings%\%current user%\GRAMC\46637.MYO (5 bytes)
%Documents and Settings%\%current user%\GRAMC\F37669.AYS (6 bytes)
%Documents and Settings%\%current user%\GRAMC\35840.NYW (5 bytes)
%Documents and Settings%\%current user%\GRAMC\X29434.NJM (6 bytes)
%Documents and Settings%\%current user%\GRAMC\79987.WVB (5 bytes)
%Documents and Settings%\%current user%\GRAMC\72613.IXA (5 bytes)
%Documents and Settings%\%current user%\GRAMC\37805.IWH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\D37204.ZBN (6 bytes)
%Documents and Settings%\%current user%\GRAMC\28542.COT (5 bytes)
%Documents and Settings%\%current user%\GRAMC\52857.WUV (5 bytes)
%Documents and Settings%\%current user%\GRAMC\T55536.FKM (6 bytes)
%Documents and Settings%\%current user%\GRAMC\W97564.KGU (6 bytes)
%Documents and Settings%\%current user%\GRAMC\T34176.IOS (6 bytes)
%Documents and Settings%\%current user%\GRAMC\C56051.YJV (6 bytes)
%Documents and Settings%\%current user%\GRAMC\B58074.QAD (6 bytes)
%Documents and Settings%\%current user%\GRAMC\76732.IQJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\78067.LAG (5 bytes)
%Documents and Settings%\%current user%\GRAMC\G77465.MNI (6 bytes)
%Documents and Settings%\%current user%\GRAMC\C46864.ZJQ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\7799.YRX (4 bytes)
%Documents and Settings%\%current user%\GRAMC\73987.AOV (5 bytes)
%Documents and Settings%\%current user%\GRAMC\Z34748.IDM (6 bytes)
%Documents and Settings%\%current user%\GRAMC\63488.LYQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\62719.DZA (5 bytes)
%Documents and Settings%\%current user%\GRAMC\53503.ZRQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\D32619.RCL (6 bytes)
%Documents and Settings%\%current user%\GRAMC\95587.AIJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\77644.PEO (5 bytes)
%Documents and Settings%\%current user%\GRAMC\K81350.FLJ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\W90345.NOZ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\15171.CRD (5 bytes)
%Documents and Settings%\%current user%\GRAMC\54255.ERE (5 bytes)
%Documents and Settings%\%current user%\GRAMC\91183.DDA (5 bytes)
%Documents and Settings%\%current user%\GRAMC\W98078.WTI (6 bytes)
%Documents and Settings%\%current user%\GRAMC\O76707.UIP (6 bytes)
%Documents and Settings%\%current user%\GRAMC\J13600.WBX (6 bytes)
%Documents and Settings%\%current user%\GRAMC\W89699.DRO (6 bytes)
%Documents and Settings%\%current user%\GRAMC\18275.DOU (5 bytes)
%Documents and Settings%\%current user%\GRAMC\M33608.VGU (6 bytes)
%Documents and Settings%\%current user%\GRAMC\D34017.VSH (6 bytes)
%Documents and Settings%\%current user%\GRAMC\95522.KTV (5 bytes)
%Documents and Settings%\%current user%\GRAMC\O8827.GAW (5 bytes)
%Documents and Settings%\%current user%\GRAMC\W63901.GZR (6 bytes)
%Documents and Settings%\%current user%\GRAMC\66911.LPP (5 bytes)
%Documents and Settings%\%current user%\GRAMC\27781.CLU (5 bytes)
%Documents and Settings%\%current user%\GRAMC\X20411.YKU (6 bytes)
%Documents and Settings%\%current user%\GRAMC\D70007.PHD (6 bytes)
%Documents and Settings%\%current user%\GRAMC\C84571.YGJ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\42492.BSQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\39800.FNY (5 bytes)
%Documents and Settings%\%current user%\GRAMC\A46429.LTW (6 bytes)
%Documents and Settings%\%current user%\GRAMC\84906.JMP (5 bytes)
%Documents and Settings%\%current user%\GRAMC\D26479.XRA (6 bytes)
%Documents and Settings%\%current user%\GRAMC\S11702.FKP (6 bytes)
%Documents and Settings%\%current user%\GRAMC\65308.ZAN (5 bytes)
%Documents and Settings%\%current user%\GRAMC\11225.TWO (5 bytes)
%Documents and Settings%\%current user%\GRAMC\M91962.ZOT (6 bytes)
%Documents and Settings%\%current user%\GRAMC\83893.GLD (5 bytes)
%Documents and Settings%\%current user%\GRAMC\74801.MOE (5 bytes)
%Documents and Settings%\%current user%\GRAMC\28863.ECS (5 bytes)
%Documents and Settings%\%current user%\GRAMC\66999.KOM (5 bytes)
%Documents and Settings%\%current user%\GRAMC\51759.CXM (5 bytes)
%Documents and Settings%\%current user%\GRAMC\F51146.CMM (6 bytes)
%Documents and Settings%\%current user%\GRAMC\45440.ZLJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\27125.URQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\83682.CTJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\86675.UJF (5 bytes)
%Documents and Settings%\%current user%\GRAMC\4089.SAI (4 bytes)
%Documents and Settings%\%current user%\GRAMC\Y13569.ENK (6 bytes)
%Documents and Settings%\%current user%\GRAMC\L51155.FHC (6 bytes)
%Documents and Settings%\%current user%\GRAMC\X56353.TGR (6 bytes)
%Documents and Settings%\%current user%\GRAMC\95645.IGY (5 bytes)
%Documents and Settings%\%current user%\GRAMC\C48951.OEB (6 bytes)
%Documents and Settings%\%current user%\GRAMC\X7690.JOH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\11904.JCM (5 bytes)
%Documents and Settings%\%current user%\GRAMC\U24175.DAB (6 bytes)
%Documents and Settings%\%current user%\GRAMC\72519.UIR (5 bytes)
%Documents and Settings%\%current user%\GRAMC\38379.BLM (5 bytes)
%Documents and Settings%\%current user%\GRAMC\G92496.IVK (6 bytes)
%Documents and Settings%\%current user%\GRAMC\N20239.NPD (6 bytes)
%Documents and Settings%\%current user%\GRAMC\6946.OCC (4 bytes)
%Documents and Settings%\%current user%\GRAMC\69061.XFV (5 bytes)
%Documents and Settings%\%current user%\GRAMC\31334.AIX (5 bytes)
%Documents and Settings%\%current user%\GRAMC\N10194.FNA (6 bytes)
%Documents and Settings%\%current user%\GRAMC\G75118.BGO (6 bytes)
%Documents and Settings%\%current user%\GRAMC\29215.OUZ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\36071.XAM (5 bytes)
%Documents and Settings%\%current user%\GRAMC\I81861.UGG (6 bytes)
%Documents and Settings%\%current user%\GRAMC\15474.OBY (5 bytes)
%Documents and Settings%\%current user%\GRAMC\99666.ULG (5 bytes)
%Documents and Settings%\%current user%\GRAMC\F6667.UBQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\D33268.MWF (6 bytes)
%Documents and Settings%\%current user%\GRAMC\S22559.CID (6 bytes)
%Documents and Settings%\%current user%\GRAMC\W74023.RAS (6 bytes)
%Documents and Settings%\%current user%\GRAMC\G9559.MTP (5 bytes)
%Documents and Settings%\%current user%\GRAMC\77580.LKQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\Y51135.IGJ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\Y68450.LDC (6 bytes)
%Documents and Settings%\%current user%\GRAMC\700477.dat (4545 bytes)
%Documents and Settings%\%current user%\GRAMC\85773.MAE (5 bytes)
%Documents and Settings%\%current user%\GRAMC\52823.NSC (5 bytes)
%Documents and Settings%\%current user%\GRAMC\48933.UJK (5 bytes)
%Documents and Settings%\%current user%\GRAMC\21360.QAF (5 bytes)
%Documents and Settings%\%current user%\GRAMC\185153.dat (28 bytes)
%Documents and Settings%\%current user%\GRAMC\37868.EVZ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\72245.DSY (5 bytes)
%Documents and Settings%\%current user%\GRAMC\O38238.KCM (6 bytes)
%Documents and Settings%\%current user%\GRAMC\99045.QHA (5 bytes)
%Documents and Settings%\%current user%\GRAMC\N16446.EGT (6 bytes)
%Documents and Settings%\%current user%\GRAMC\M89818.ZIT (6 bytes)
%Documents and Settings%\%current user%\GRAMC\91622.UCX (5 bytes)
%Documents and Settings%\%current user%\GRAMC\G40339.JBL (6 bytes)
%Documents and Settings%\%current user%\GRAMC\15151.ONF (5 bytes)
%Documents and Settings%\%current user%\GRAMC\84234.DDL (5 bytes)
%Documents and Settings%\%current user%\GRAMC\Z28718.RYN (6 bytes)
%Documents and Settings%\%current user%\GRAMC\W59408.YLR (6 bytes)
%Documents and Settings%\%current user%\GRAMC\51781.ZJN (5 bytes)
%Documents and Settings%\%current user%\GRAMC\49647.RKO (5 bytes)
%Documents and Settings%\%current user%\GRAMC\O12052.SME (6 bytes)
%Documents and Settings%\%current user%\GRAMC\K80891.IED (6 bytes)
%Documents and Settings%\%current user%\GRAMC\P85445.EUP (6 bytes)
%Documents and Settings%\%current user%\GRAMC\P62239.ZSE (6 bytes)
%Documents and Settings%\%current user%\GRAMC\6909.IZD (4 bytes)
%Documents and Settings%\%current user%\GRAMC\O38614.ELM (6 bytes)
%Documents and Settings%\%current user%\GRAMC\8077.PLQ (4 bytes)
%Documents and Settings%\%current user%\GRAMC\5779.MQE (4 bytes)
%Documents and Settings%\%current user%\GRAMC\Y24402.ZTB (6 bytes)
%Documents and Settings%\%current user%\GRAMC\Q2467.XFD (5 bytes)
%Documents and Settings%\%current user%\GRAMC\67194.VDD (5 bytes)
%Documents and Settings%\%current user%\GRAMC\E61883.OLZ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\Y28099.UEF (6 bytes)
%Documents and Settings%\%current user%\GRAMC\6128.ZJO (4 bytes)
%Documents and Settings%\%current user%\GRAMC\V45693.JMZ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\V11771.DIA (6 bytes)
%Documents and Settings%\%current user%\GRAMC\O4082.FXT (5 bytes)
%Documents and Settings%\%current user%\GRAMC\15566.EHF (5 bytes)
%Documents and Settings%\%current user%\GRAMC\J66838.EDE (6 bytes)
%Documents and Settings%\%current user%\GRAMC\54698.SAK (5 bytes)
%Documents and Settings%\%current user%\GRAMC\17736.AAV (5 bytes)
%Documents and Settings%\%current user%\GRAMC\P22725.AWW (6 bytes)
%Documents and Settings%\%current user%\GRAMC\A12439.GSX (6 bytes)
%Documents and Settings%\%current user%\GRAMC\C68861.XXS (6 bytes)
%Documents and Settings%\%current user%\GRAMC\9142.IQP (4 bytes)
%Documents and Settings%\%current user%\GRAMC\46834.ZMM (5 bytes)
%Documents and Settings%\%current user%\GRAMC\Z22054.ELB (6 bytes)
%Documents and Settings%\%current user%\GRAMC\U12465.UYH (6 bytes)
%Documents and Settings%\%current user%\GRAMC\A38119.ZMQ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\V84624.DXK (6 bytes)
%Documents and Settings%\%current user%\GRAMC\22463.HRX (5 bytes)
%Documents and Settings%\%current user%\GRAMC\65269.XJJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\55999.RYA (5 bytes)
%Documents and Settings%\%current user%\GRAMC\C67888.QBG (6 bytes)
%Documents and Settings%\%current user%\GRAMC\V71113.FLV (6 bytes)
%Documents and Settings%\%current user%\GRAMC\D19602.PHE (6 bytes)
%Documents and Settings%\%current user%\GRAMC\L65656.YQI (6 bytes)
%Documents and Settings%\%current user%\GRAMC\55467.HGX (5 bytes)
%Documents and Settings%\%current user%\GRAMC\51422.ZYD (5 bytes)
%Documents and Settings%\%current user%\GRAMC\90106.XBW (5 bytes)
%Documents and Settings%\%current user%\GRAMC\S61835.UFN (6 bytes)
%Documents and Settings%\%current user%\GRAMC\77154.HUN (5 bytes)
%Documents and Settings%\%current user%\GRAMC\11447.IWG (5 bytes)
%Documents and Settings%\%current user%\GRAMC\V36421.RPL (6 bytes)
%Documents and Settings%\%current user%\GRAMC\34232.CWT (5 bytes)
%Documents and Settings%\%current user%\GRAMC\70184.VNL (5 bytes)
%Documents and Settings%\%current user%\GRAMC\60265.XSU (5 bytes)
%Documents and Settings%\%current user%\GRAMC\94281.SBG (5 bytes)
%Documents and Settings%\%current user%\GRAMC\85672.LHF (5 bytes)
%Documents and Settings%\%current user%\GRAMC\20357.ADT (5 bytes)
%Documents and Settings%\%current user%\GRAMC\H26734.JHK (6 bytes)
%Documents and Settings%\%current user%\GRAMC\D7074.CSS (5 bytes)
%Documents and Settings%\%current user%\GRAMC\33290.VPD (5 bytes)
%Documents and Settings%\%current user%\GRAMC\settings.ini (162 bytes)
%Documents and Settings%\%current user%\GRAMC\44930.HXO (5 bytes)
%Documents and Settings%\%current user%\GRAMC\90541.PTF (5 bytes)
%Documents and Settings%\%current user%\GRAMC\winrar.vbs (56 bytes)
%Documents and Settings%\%current user%\GRAMC\B62266.PMF (6 bytes)
%Documents and Settings%\%current user%\GRAMC\J66320.WGF (6 bytes)
%Documents and Settings%\%current user%\GRAMC\58224.ZNN (5 bytes)
%Documents and Settings%\%current user%\GRAMC\98022.FIX (5 bytes)
%Documents and Settings%\%current user%\GRAMC\M81528.QRT (6 bytes)
%Documents and Settings%\%current user%\GRAMC\24006.YMH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\26785.FTX (5 bytes)
%Documents and Settings%\%current user%\GRAMC\91135.HVW (5 bytes)
%Documents and Settings%\%current user%\GRAMC\76876.BLR (5 bytes)
%Documents and Settings%\%current user%\GRAMC\H90454.KUF (6 bytes)
%Documents and Settings%\%current user%\GRAMC\44276.TBU (5 bytes)
%Documents and Settings%\%current user%\GRAMC\L35510.SIQ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\67312.WKQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\78373.CAU (5 bytes)
%Documents and Settings%\%current user%\GRAMC\23738.RGW (5 bytes)
%Documents and Settings%\%current user%\GRAMC\63553.DQK (5 bytes)
%Documents and Settings%\%current user%\GRAMC\50973.AZF (5 bytes)
%Documents and Settings%\%current user%\GRAMC\L72123.UWW (6 bytes)
%Documents and Settings%\%current user%\GRAMC\96321.COI (5 bytes)
%Documents and Settings%\%current user%\GRAMC\38158.QAM (5 bytes)
%Documents and Settings%\%current user%\GRAMC\F74440.XYZ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\T11304.EED (6 bytes)
%Documents and Settings%\%current user%\GRAMC\F66703.IZM (6 bytes)
%Documents and Settings%\%current user%\GRAMC\77998.JJT (5 bytes)
%Documents and Settings%\%current user%\GRAMC\P14532.ADZ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\15918.AEI (5 bytes)
%Documents and Settings%\%current user%\GRAMC\O71462.PQM (6 bytes)
%Documents and Settings%\%current user%\GRAMC\9770.XIL (4 bytes)
%Documents and Settings%\%current user%\GRAMC\18036.HDH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\2912.NQX (4 bytes)
%Documents and Settings%\%current user%\GRAMC\72399.PQZ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\V97905.YXC (6 bytes)
%Documents and Settings%\%current user%\GRAMC\97870.ZRC (5 bytes)
%Documents and Settings%\%current user%\GRAMC\M6000.GLL (5 bytes)
%Documents and Settings%\%current user%\GRAMC\C97931.MUD (6 bytes)
%Documents and Settings%\%current user%\GRAMC\W76775.IZC (6 bytes)
%Documents and Settings%\%current user%\GRAMC\G80384.CLK (6 bytes)
%Documents and Settings%\%current user%\GRAMC\K89342.JVJ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\30467.KFE (5 bytes)
%Documents and Settings%\%current user%\GRAMC\A63112.LXX (6 bytes)
%Documents and Settings%\%current user%\GRAMC\O66100.QJK (6 bytes)
%Documents and Settings%\%current user%\GRAMC\U98690.MOW (6 bytes)
%Documents and Settings%\%current user%\GRAMC\R56277.IHR (6 bytes)
%Documents and Settings%\%current user%\GRAMC\L57045.ACD (6 bytes)
%Documents and Settings%\%current user%\GRAMC\57249.LLU (5 bytes)
%Documents and Settings%\%current user%\GRAMC\9844.TYP (4 bytes)
%Documents and Settings%\%current user%\GRAMC\2061.BXS (4 bytes)
%Documents and Settings%\%current user%\GRAMC\U40107.ATL (6 bytes)
%Documents and Settings%\%current user%\GRAMC\35060.WZI (5 bytes)
%Documents and Settings%\%current user%\GRAMC\Y97806.XLC (6 bytes)
%Documents and Settings%\%current user%\GRAMC\I63990.ZOX (6 bytes)
%Documents and Settings%\%current user%\GRAMC\A65687.BSP (6 bytes)
%Documents and Settings%\%current user%\GRAMC\N73497.VFY (6 bytes)
%Documents and Settings%\%current user%\GRAMC\99577.JSO (5 bytes)
%Documents and Settings%\%current user%\GRAMC\E65376.UVO (6 bytes)
%Documents and Settings%\%current user%\GRAMC\O20817.RKL (6 bytes)
%Documents and Settings%\%current user%\GRAMC\67304.RWL (5 bytes)
%Documents and Settings%\%current user%\GRAMC\G43658.FDZ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\38058.GXQ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\49968.RCM (5 bytes)
%Documents and Settings%\%current user%\GRAMC\83404.XVV (5 bytes)
%Documents and Settings%\%current user%\GRAMC\12337.FWJ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\47239.MPZ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\13530.ACP (5 bytes)
%Documents and Settings%\%current user%\GRAMC\E6308.HYC (5 bytes)
%Documents and Settings%\%current user%\GRAMC\35148.XNF (5 bytes)
%Documents and Settings%\%current user%\GRAMC\X51924.VTL (6 bytes)
%Documents and Settings%\%current user%\GRAMC\86126.YPZ (5 bytes)
%Documents and Settings%\%current user%\GRAMC\52663.RLM (5 bytes)
%Documents and Settings%\%current user%\GRAMC\76146.GSH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\4404.VZF (4 bytes)
%Documents and Settings%\%current user%\GRAMC\4548.YNS (4 bytes)
%Documents and Settings%\%current user%\GRAMC\Y10395.IBO (6 bytes)
%Documents and Settings%\%current user%\GRAMC\I60896.FHF (6 bytes)
%Documents and Settings%\%current user%\GRAMC\L19660.DDH (6 bytes)
%Documents and Settings%\%current user%\GRAMC\41400.PUE (5 bytes)
%Documents and Settings%\%current user%\GRAMC\H6322.BZN (5 bytes)
%Documents and Settings%\%current user%\GRAMC\91857.QQL (5 bytes)
%Documents and Settings%\%current user%\GRAMC\45411.WQR (5 bytes)
%Documents and Settings%\%current user%\GRAMC\3051.JDA (4 bytes)
%Documents and Settings%\%current user%\GRAMC\E59964.JPQ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\T8505.HOE (5 bytes)
%Documents and Settings%\%current user%\GRAMC\80611.JWM (5 bytes)
%Documents and Settings%\%current user%\GRAMC\28966.OKE (5 bytes)
%Documents and Settings%\%current user%\GRAMC\71488.HZH (5 bytes)
%Documents and Settings%\%current user%\GRAMC\M14074.LLD (6 bytes)
%Documents and Settings%\%current user%\GRAMC\97786.DDF (5 bytes)
%Documents and Settings%\%current user%\GRAMC\D58444.PQO (6 bytes)
%Documents and Settings%\%current user%\GRAMC\J10274.RPD (6 bytes)
%Documents and Settings%\%current user%\GRAMC\W64117.XAI (6 bytes)
%Documents and Settings%\%current user%\GRAMC\37123.HZY (5 bytes)
%Documents and Settings%\%current user%\GRAMC\X73519.FSS (6 bytes)
%Documents and Settings%\%current user%\GRAMC\Y66662.GUH (6 bytes)
%Documents and Settings%\%current user%\GRAMC\C90509.XKO (6 bytes)
%Documents and Settings%\%current user%\GRAMC\Z1913.PCB (5 bytes)
%Documents and Settings%\%current user%\GRAMC\R42778.XVG (6 bytes)
%Documents and Settings%\%current user%\GRAMC\L66586.KLJ (6 bytes)
%Documents and Settings%\%current user%\GRAMC\5499.CGA (4 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\GRAMC\__tmp_rar_sfx_access_check_470453 (0 bytes)

The process %original file name%.exe:2660 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Glückskeks.exe (13968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Setup.exe (20277 bytes)

Registry activity

The process UYHNN.exe:1176 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 29 80 AC DD B0 11 AC CD 94 C6 F3 8C 43 5D 27"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The process UYHNN.exe:1200 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 74 82 DB 8A D9 04 3F 5B 0A 71 CF 6E 55 31 E1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The process Glückskeks.exe:532 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 14 A8 B9 56 1B CD 66 D5 11 69 9C 3C D0 73 87"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The Worm deletes the following value(s) in system registry:


The Worm disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"glückskeks"

The process WScript.exe:3544 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 70 55 BB E9 82 EE 89 1E C3 1D 46 08 A5 6F 4F"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\GRAMC]
"UYHNN.exe" = "AutoIt v3 Script"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process glueckskeks_.exe:1136 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 45 61 6C DA C4 7A 27 01 16 F9 3C 97 24 A8 68"

The process Setup.exe:2904 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 0D C6 F6 28 04 AC 81 25 D2 2B D6 3B 2C AA 6B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\System32]
"WScript.exe" = "Microsoft (R) Windows Based Script Host"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process %original file name%.exe:2660 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 40 1B 7A B9 B3 43 CF 51 84 F7 16 52 C4 CF E3"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    UYHNN.exe:1200
    WScript.exe:3544
    Setup.exe:2904
    %original file name%.exe:2660

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\GRAMC\UCHWICJA.dat (28 bytes)
    %WinDir%\jestertb.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\jesterrun0.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gluecks-keks.ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\glueckskeks_.exe (15685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\content.xml (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sxx (190 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (634 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\localhost\glueckskeks.sxx (130 bytes)
    %Documents and Settings%\%current user%\GRAMC\44104.QFH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\L78955.ELI (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\X93095.QXT (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\M2904.YMS (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\87769.DMY (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\56118.BXO (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\65328.SVB (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\F9133.XUM (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\49919.CQW (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\76468.LIR (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\P42457.FRK (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\94805.TVK (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\C78261.LVR (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\X39591.JRC (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\29140.RWE (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\J63945.URS (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\94500.JAC (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\G37319.NBD (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\B54971.ZUS (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\C26136.RFP (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\67605.EEZ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\O13366.RRI (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\69828.QYJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\32195.HHN (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\19128.HOH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\51711.TPB (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\C10483.WYR (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\32290.XRA (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\77453.NLK (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\37511.SYU (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\19803.FAK (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\90563.CVH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\30137.JXT (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\29052.EJQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\G9087.NDA (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\50300.KVL (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\S32247.GVZ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\68915.RNC (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\68966.TQF (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\B98382.MGH (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\E57479.RJZ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\D47214.DKA (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\V17066.AIE (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\U60388.JTC (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\M6365.JVQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\72866.XHD (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\A68019.LDW (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\T15969.BLB (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\19806.SQR (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\A11712.QEY (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\O97735.DLS (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\G85915.WGX (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\P21430.OHV (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\15902.CMD (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\36949.SMJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\D96394.MQP (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\Z54279.UTZ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\437397.BMA (15801 bytes)
    %Documents and Settings%\%current user%\GRAMC\A91663.IFP (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\31316.PYO (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\H65378.TXK (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\20639.UHP (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\F79315.EZO (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\H12669.GDI (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\72534.MMV (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\33004.KBK (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\58382.BGP (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y71487.OIJ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\U19947.BDE (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\B31039.JAI (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\50683.UQT (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\X51295.FUU (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\A61182.QXY (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\8309.AXM (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\K97361.YAZ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\W62590.KAB (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\K30749.POM (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\2923.GVX (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\90236.ETO (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\K88237.HQH (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\64674.YVS (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\41384.TTW (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\86816.DXK (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\R24236.IJB (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\G26276.MLO (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\E41579.ZKF (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\P3800.SKU (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\55476.MVU (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\C71269.PXI (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\I66214.OQL (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\V36524.QRS (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\41243.UTI (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\50066.GAY (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\W53991.LAY (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\72038.MRI (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\L18279.RIA (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\67455.VQP (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\I46094.YIL (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\H88450.DYD (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y32192.DBS (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\2326.WEY (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\M27909.JFB (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\J96236.PWQ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\D2396.NSA (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\10181.AAW (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y55224.CQN (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\D58525.LYQ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\34167.WPV (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\7759.ZYA (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\E72740.EDA (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\O32351.BXO (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\75815.IMW (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\45041.VDQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\47812.ROL (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\44079.OYU (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\X45265.DOY (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\95930.QVQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\59083.MQI (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\45490.TOJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\O37916.NVV (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\6476.UUE (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\11798.EAC (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\37435.LHD (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\11451.XZP (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\B22451.JRW (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\D81245.UAW (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\S3054.BQK (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\R19069.IDO (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\54756.FIM (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\K29958.DJM (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\T3915.AKD (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\D58809.CMN (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\63047.HXQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\R13673.GYB (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\53053.DDH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\19164.JCF (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\V10781.YNB (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\85718.KJH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y93913.VPS (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\H43972.GGO (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\D41086.GPX (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\K10114.PBI (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\R7090.NJJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\22893.SRH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\41087.SIV (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\B51374.OFV (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\68117.AHP (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\A65036.LPC (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\H74893.OCG (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\G43208.IVB (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\53348.GFT (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\25232.ETB (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\36196.HOV (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\A98639.WDE (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\D50467.YGY (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\16845.QMV (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\98697.VBO (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\K65187.KPR (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\R64438.HJD (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\C67018.XSG (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\UYHNN.exe (15361 bytes)
    %Documents and Settings%\%current user%\GRAMC\I91765.ATZ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\I4965.BSZ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\3299.OBS (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\C81349.WFB (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\W15229.UGL (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\79529.CZQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\N95618.QGD (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\W49788.CLE (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\89855.HBP (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\75599.KJH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\18090.SGR (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\48645.UCG (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\16604.RRS (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\63157.KIA (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\N79446.GIY (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\A84994.AVM (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\32370.FNT (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\1832.QZK (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\R18417.VON (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\55842.SPG (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\N39488.HLL (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\M42175.GLD (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\X81310.EZS (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\S2315.HSM (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\73049.HNW (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\20366.NVB (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\34189.YCC (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\47871.GPR (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\39198.BLJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\E24319.ZWF (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\8365.CIX (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\50472.ULJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\74752.KNO (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\95788.BTS (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\41601.ZFE (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\35336.TVR (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\F90272.BNS (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\51773.YGN (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\K88258.HKF (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\78219.QLX (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\50565.BJU (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\76369.VDH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\22483.NRG (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y22929.FFA (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y52730.UJP (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\59659.KLB (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\1235.KOU (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\27388.NNR (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\58331.OQR (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\H77659.TNC (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\91251.MVN (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\S90094.NTT (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\V88506.PYM (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\2188.ACK (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\99794.SWA (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\I20080.HTJ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\P50714.ILR (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\E33199.FUQ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y95034.TUF (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y72305.IXY (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\68044.RJQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\4177.WSE (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\11147.FLO (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\B22640.WGL (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\85727.OJY (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\M37366.BAH (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\51380.RKI (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\17277.JGW (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\54140.KVT (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\P86721.XIR (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\N70831.ENG (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\21788.CZL (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\4320.YZJ (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\R88912.AQX (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\98001.ZSQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\A25580.TGG (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\H93859.QNL (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\J35677.ITG (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\91870.SDJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\D4257.ROZ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\3285.LID (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\33433.QPZ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\P9534.LNJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\22217.AOD (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\46637.MYO (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\F37669.AYS (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\35840.NYW (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\X29434.NJM (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\79987.WVB (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\72613.IXA (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\37805.IWH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\D37204.ZBN (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\28542.COT (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\52857.WUV (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\T55536.FKM (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\W97564.KGU (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\T34176.IOS (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\C56051.YJV (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\B58074.QAD (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\76732.IQJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\78067.LAG (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\G77465.MNI (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\C46864.ZJQ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\7799.YRX (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\73987.AOV (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\Z34748.IDM (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\63488.LYQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\62719.DZA (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\53503.ZRQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\D32619.RCL (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\95587.AIJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\77644.PEO (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\K81350.FLJ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\W90345.NOZ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\15171.CRD (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\54255.ERE (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\91183.DDA (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\W98078.WTI (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\O76707.UIP (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\J13600.WBX (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\W89699.DRO (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\18275.DOU (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\M33608.VGU (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\D34017.VSH (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\95522.KTV (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\O8827.GAW (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\W63901.GZR (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\66911.LPP (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\27781.CLU (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\X20411.YKU (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\D70007.PHD (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\C84571.YGJ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\42492.BSQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\39800.FNY (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\A46429.LTW (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\84906.JMP (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\D26479.XRA (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\S11702.FKP (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\65308.ZAN (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\11225.TWO (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\M91962.ZOT (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\83893.GLD (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\74801.MOE (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\28863.ECS (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\66999.KOM (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\51759.CXM (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\F51146.CMM (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\45440.ZLJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\27125.URQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\83682.CTJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\86675.UJF (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\4089.SAI (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y13569.ENK (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\L51155.FHC (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\X56353.TGR (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\95645.IGY (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\C48951.OEB (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\X7690.JOH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\11904.JCM (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\U24175.DAB (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\72519.UIR (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\38379.BLM (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\G92496.IVK (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\N20239.NPD (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\6946.OCC (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\69061.XFV (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\31334.AIX (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\N10194.FNA (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\G75118.BGO (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\29215.OUZ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\36071.XAM (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\I81861.UGG (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\15474.OBY (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\99666.ULG (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\F6667.UBQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\D33268.MWF (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\S22559.CID (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\W74023.RAS (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\G9559.MTP (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\77580.LKQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y51135.IGJ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y68450.LDC (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\700477.dat (4545 bytes)
    %Documents and Settings%\%current user%\GRAMC\85773.MAE (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\52823.NSC (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\48933.UJK (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\21360.QAF (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\185153.dat (28 bytes)
    %Documents and Settings%\%current user%\GRAMC\37868.EVZ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\72245.DSY (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\O38238.KCM (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\99045.QHA (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\N16446.EGT (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\M89818.ZIT (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\91622.UCX (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\G40339.JBL (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\15151.ONF (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\84234.DDL (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\Z28718.RYN (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\W59408.YLR (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\51781.ZJN (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\49647.RKO (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\O12052.SME (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\K80891.IED (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\P85445.EUP (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\P62239.ZSE (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\6909.IZD (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\O38614.ELM (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\8077.PLQ (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\5779.MQE (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y24402.ZTB (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\Q2467.XFD (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\67194.VDD (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\E61883.OLZ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y28099.UEF (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\6128.ZJO (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\V45693.JMZ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\V11771.DIA (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\O4082.FXT (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\15566.EHF (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\J66838.EDE (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\54698.SAK (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\17736.AAV (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\P22725.AWW (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\A12439.GSX (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\C68861.XXS (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\9142.IQP (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\46834.ZMM (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\Z22054.ELB (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\U12465.UYH (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\A38119.ZMQ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\V84624.DXK (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\22463.HRX (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\65269.XJJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\55999.RYA (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\C67888.QBG (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\V71113.FLV (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\D19602.PHE (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\L65656.YQI (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\55467.HGX (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\51422.ZYD (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\90106.XBW (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\S61835.UFN (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\77154.HUN (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\11447.IWG (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\V36421.RPL (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\34232.CWT (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\70184.VNL (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\60265.XSU (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\94281.SBG (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\85672.LHF (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\20357.ADT (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\H26734.JHK (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\D7074.CSS (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\33290.VPD (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\settings.ini (162 bytes)
    %Documents and Settings%\%current user%\GRAMC\44930.HXO (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\90541.PTF (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\winrar.vbs (56 bytes)
    %Documents and Settings%\%current user%\GRAMC\B62266.PMF (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\J66320.WGF (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\58224.ZNN (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\98022.FIX (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\M81528.QRT (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\24006.YMH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\26785.FTX (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\91135.HVW (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\76876.BLR (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\H90454.KUF (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\44276.TBU (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\L35510.SIQ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\67312.WKQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\78373.CAU (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\23738.RGW (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\63553.DQK (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\50973.AZF (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\L72123.UWW (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\96321.COI (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\38158.QAM (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\F74440.XYZ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\T11304.EED (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\F66703.IZM (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\77998.JJT (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\P14532.ADZ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\15918.AEI (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\O71462.PQM (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\9770.XIL (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\18036.HDH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\2912.NQX (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\72399.PQZ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\V97905.YXC (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\97870.ZRC (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\M6000.GLL (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\C97931.MUD (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\W76775.IZC (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\G80384.CLK (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\K89342.JVJ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\30467.KFE (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\A63112.LXX (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\O66100.QJK (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\U98690.MOW (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\R56277.IHR (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\L57045.ACD (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\57249.LLU (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\9844.TYP (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\2061.BXS (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\U40107.ATL (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\35060.WZI (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y97806.XLC (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\I63990.ZOX (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\A65687.BSP (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\N73497.VFY (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\99577.JSO (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\E65376.UVO (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\O20817.RKL (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\67304.RWL (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\G43658.FDZ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\38058.GXQ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\49968.RCM (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\83404.XVV (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\12337.FWJ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\47239.MPZ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\13530.ACP (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\E6308.HYC (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\35148.XNF (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\X51924.VTL (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\86126.YPZ (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\52663.RLM (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\76146.GSH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\4404.VZF (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\4548.YNS (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y10395.IBO (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\I60896.FHF (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\L19660.DDH (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\41400.PUE (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\H6322.BZN (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\91857.QQL (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\45411.WQR (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\3051.JDA (4 bytes)
    %Documents and Settings%\%current user%\GRAMC\E59964.JPQ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\T8505.HOE (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\80611.JWM (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\28966.OKE (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\71488.HZH (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\M14074.LLD (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\97786.DDF (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\D58444.PQO (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\J10274.RPD (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\W64117.XAI (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\37123.HZY (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\X73519.FSS (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\Y66662.GUH (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\C90509.XKO (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\Z1913.PCB (5 bytes)
    %Documents and Settings%\%current user%\GRAMC\R42778.XVG (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\L66586.KLJ (6 bytes)
    %Documents and Settings%\%current user%\GRAMC\5499.CGA (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Glückskeks.exe (13968 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Setup.exe (20277 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps