Analysis Date2015-12-26 14:57:19
MD5a6f15d2fdccfc61613f40ed89144878b
SHA1065ef3258ad67c6fceb6949fbd94186ea4031610

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 26548190aa5d6c81512f107985b0d843 sha1: 05480b565310101a6bf0ec18d0563517770e883d size: 453120
Section.rdata md5: b7934836c5f0e319243c17f79a240987 sha1: 402bd3ee4f85a286ae4a9ab1ed8e13b31dccba98 size: 512
Section.data md5: 627eabc20ae8bfb7d76e0258ba8f4474 sha1: 6dd2757ddbd256ec034bbf726d65b9cf60da1f09 size: 512
Section.rsrc md5: 36ce5f3ba9b7bc9af256969278a1f5e1 sha1: 22e1f7765e98b02d6299cb0c321e6436628d2210 size: 4608
Timestamp2015-01-06 00:36:08
PEhash49d970010b0a0cfbf53b68753156f09f54debca1
IMPhash2ebddb969f6d04e2e8652e610514d538
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVSymantecW32.Ransomlock.AO!inf4
AVAuthentiumW32/S-b256b4b7!Eldorado
AVKasperskyVirus.Win32.PolyRansom.b
AVDr. WebWin32.VirLock.10
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVMcafeeW32/VirRansom.b
AVBullGuardWin32.Virlock.Gen.1
AVAlwil (avast)MalOb-FE [Cryp]
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVClamAVno_virus
AVIkarusVirus-Ransom.FileLocker
AVCAT (quickheal)Ransom.VirLock.A2
AVEset (nod32)Win32/Virlock.D virus
AVF-SecureWin32.Virlock.Gen.1
AVVirusBlokAda (vba32)Virus.VirLock
AVTrend MicroPE_VIRLOCK.D
AVAd-AwareWin32.Virlock.Gen.1
AVK7Trojan ( 0040f9f31 )
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/Nabucur.C
AVEmsisoftWin32.Virlock.Gen.1
AVRisingTrojan.Win32.PolyRansom.a
AVBitDefenderWin32.Virlock.Gen.1
AVMalwareBytesTrojan.VirLock
AVFrisk (f-prot)no_virus
AVTwisterW32.PolyRansom.b.brnk.mg
AVZillya!Virus.Virlock.Win32.1
AVFortinetW32/Zegost.ATDB!tr
AVGrisoft (avg)Generic_r.EKW

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\065ef3258ad67c6fceb6949fbd94186ea4031610
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DmcggAwg.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\LMoocUQk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\DmcggAwg.bat
Creates Process"C:\065ef3258ad67c6fceb6949fbd94186ea4031610"
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\LMoocUQk.bat" "C:\malware.exe""
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\065ef3258ad67c6fceb6949fbd94186ea4031610

Creates FileC:\065ef3258ad67c6fceb6949fbd94186ea4031610
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\mucIUYEc.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\sussgkMs.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\sussgkMs.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\mucIUYEc.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\065ef3258ad67c6fceb6949fbd94186ea4031610"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\065ef3258ad67c6fceb6949fbd94186ea4031610"

Creates ProcessC:\065ef3258ad67c6fceb6949fbd94186ea4031610

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\mucIUYEc.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\LMoocUQk.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\LMoocUQk.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\065ef3258ad67c6fceb6949fbd94186ea4031610"

Creates ProcessC:\065ef3258ad67c6fceb6949fbd94186ea4031610

Process
↳ "C:\065ef3258ad67c6fceb6949fbd94186ea4031610"

Creates ProcessC:\065ef3258ad67c6fceb6949fbd94186ea4031610

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\065ef3258ad67c6fceb6949fbd94186ea4031610

Creates FileC:\065ef3258ad67c6fceb6949fbd94186ea4031610
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aQcssEIg.bat
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vOscQgYQ.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\aQcssEIg.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\vOscQgYQ.bat" "C:\malware.exe""
Creates Process"C:\065ef3258ad67c6fceb6949fbd94186ea4031610"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\vOscQgYQ.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\vOscQgYQ.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileEWcI.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileyIEo.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FilewmMg.ico
Creates FileICAs.ico
Creates FileoYkc.ico
Creates FilecCcA.ico
Creates FileuWYw.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FilegugA.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FilewgQo.exe
Creates FileC:\RCX5.tmp
Creates FilesCYk.ico
Creates FileyEAU.exe
Creates FileOGok.ico
Creates FileUMYg.ico
Creates FileCYUM.exe
Creates FileC:\RCX3.tmp
Creates FilegAwM.exe
Creates FileC:\RCX10.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FilesWIc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileC:\RCXF.tmp
Creates FileOqQI.ico
Creates FileC:\RCX12.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileuAgU.ico
Creates FileYMgg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates Filegkcs.ico
Creates FileoMAs.exe
Creates FileIIkA.ico
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileMQYi.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileIIoA.ico
Creates FileC:\RCX6.tmp
Creates FileGukw.ico
Creates FilescoK.exe
Creates FileC:\RCXE.tmp
Creates FileC:\RCXA.tmp
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileASAg.ico
Creates FileC:\RCXC.tmp
Creates FileC:\RCX19.tmp
Creates FileAMAq.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\RCX1C.tmp
Creates FilewoQa.exe
Creates FilecEQa.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileYUYC.exe
Creates FileC:\RCX9.tmp
Creates FileC:\RCX1A.tmp
Creates FilecooG.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FilemQwY.exe
Creates FileoMoc.exe
Creates FileMMYo.exe
Creates FileC:\RCX8.tmp
Creates FileAEkY.ico
Creates Fileaowg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileYcEG.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileIAIo.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileoEIE.exe
Creates FileC:\RCX1D.tmp
Creates FilekiQk.ico
Creates FilekKMg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileMWIk.ico
Creates FileYIwY.exe
Creates FileAwQo.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileQQkY.exe
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FilemsoO.exe
Creates FileC:\RCX16.tmp
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileswES.exe
Creates FileQIIw.ico
Creates FilesQMS.exe
Creates FileC:\RCX17.tmp
Creates Filecwsu.exe
Creates FileC:\RCX4.tmp
Creates FileMUQi.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileMsEm.exe
Creates FileIkcM.ico
Creates FilewcsA.exe
Creates FileWesA.ico
Creates Fileekgi.exe
Creates FileYoEQ.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Deletes FileEWcI.ico
Deletes FileyIEo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FilewmMg.ico
Deletes FileICAs.ico
Deletes FileoYkc.ico
Deletes FilecCcA.ico
Deletes FileuWYw.ico
Deletes FilegugA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FilewgQo.exe
Deletes FilesCYk.ico
Deletes FileyEAU.exe
Deletes FileOGok.ico
Deletes FileUMYg.ico
Deletes FileCYUM.exe
Deletes FilegAwM.exe
Deletes FilesWIc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileOqQI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileuAgU.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FileYMgg.ico
Deletes Filegkcs.ico
Deletes FileoMAs.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileIIkA.ico
Deletes FileMQYi.exe
Deletes FileIIoA.ico
Deletes FileGukw.ico
Deletes FilescoK.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileASAg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileAMAq.exe
Deletes FilewoQa.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FilecEQa.exe
Deletes FileYUYC.exe
Deletes FilecooG.exe
Deletes FilemQwY.exe
Deletes FileMMYo.exe
Deletes FileoMoc.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileAEkY.ico
Deletes Fileaowg.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileYcEG.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileIAIo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileoEIE.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FilekiQk.ico
Deletes FilekKMg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileYIwY.exe
Deletes FileMWIk.ico
Deletes FileAwQo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileQQkY.exe
Deletes FilemsoO.exe
Deletes FileswES.exe
Deletes FileQIIw.ico
Deletes FilesQMS.exe
Deletes Filecwsu.exe
Deletes FileMUQi.exe
Deletes FileIkcM.ico
Deletes FileMsEm.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FilewcsA.exe
Deletes Fileekgi.exe
Deletes FileWesA.ico
Deletes FileYoEQ.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\065ef3258ad67c6fceb6949fbd94186ea4031610

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ Pid 1016

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1872

Process
↳ Pid 1144

Network Details:

DNSgoogle.com
Type: A
173.194.46.65
DNSgoogle.com
Type: A
173.194.46.66
DNSgoogle.com
Type: A
173.194.46.67
DNSgoogle.com
Type: A
173.194.46.68
DNSgoogle.com
Type: A
173.194.46.69
DNSgoogle.com
Type: A
173.194.46.70
DNSgoogle.com
Type: A
173.194.46.71
DNSgoogle.com
Type: A
173.194.46.72
DNSgoogle.com
Type: A
173.194.46.73
DNSgoogle.com
Type: A
173.194.46.78
DNSgoogle.com
Type: A
173.194.46.64
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 173.194.46.65:80
Flows TCP192.168.1.1:1032 ➝ 173.194.46.65:80

Raw Pcap

Strings