Analysis Date2015-01-14 13:43:00
MD5073fa300375c6b023c43dd68af077390
SHA1118ed170ae63396d452d5a933c74b700cf1c8a11

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash4100cf604e40cd12ad702774881d0c6f3833b9c5
IMPhash
AV360 Safeno_virus
AVAd-AwareTrojan.Obfus.3.Gen
AVAlwil (avast)VirLock-A:Win32:VirLock-A
AVArcabit (arcavir)Trojan.Obfus.3.Gen
AVAuthentiumW32/S-7136ec3b!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardTrojan.Obfus.3.Gen
AVCA (E-Trust Ino)Win32/Nabucur.A
AVCAT (quickheal)Ransom.VirLock.A2
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Obfus.3.Gen
AVEset (nod32)Win32/Virlock.G virus
AVFortinetW32/Agent.NCA
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Obfus.3.Gen
AVGrisoft (avg)Win32/Cryptor
AVIkarusVirus-Ransom.FileLocker
AVK7Virus ( 0040f99f1 )
AVKasperskyVirus.Win32.PolyRansom.a
AVMalwareBytesTrojan.VirLock
AVMcafeeTrojan-FFGO!073FA300375C
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.gen!A
AVMicroWorld (escan)Trojan.Obfus.3.Gen
AVRisingno_virus
AVSophosW32/VirRnsm-A
AVSymantecW32.Ransomlock.AO!inf
AVTrend MicroPE_FINALDO.F
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zEgIQUkc.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PKkMkkAw.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\PKkMkkAw.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\zEgIQUkc.bat" "C:\malware.exe""
Creates ProcessC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates ProcessC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\LAQAwsIg.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\raAscoEg.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xIAwAEcI.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\duYkoIcE.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\duYkoIcE.bat
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\xIAwAEcI.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\LAQAwsIg.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aOgIQAYk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\aOgIQAYk.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\LAQAwsIg.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\xEQMAkAQ.bat" "C:\malware.exe""

Creates Process

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\raAscoEg.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\CoEIkIQs.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\CoEIkIQs.bat
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\raAscoEg.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\uWwcQwAg.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\uWwcQwAg.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\gAcQIwII.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\gAcQIwII.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xEQMAkAQ.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\VQwsgock.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\VQwsgock.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\xEQMAkAQ.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\sWAEEEAg.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\sWAEEEAg.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\QgEUooUo.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\QgEUooUo.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\sWAEEEAg.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\zEgIQUkc.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\zEgIQUkc.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\ZMQMEwEw.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ZMQMEwEw.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ukoQQIUg.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nAsEQcEg.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nAsEQcEg.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\ukoQQIUg.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\XIUMoQAo.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\SiYIkoUQ.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WcMkEMUk.bat
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\SiYIkoUQ.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\WcMkEMUk.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\uWwcQwAg.bat
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qwcEgcoc.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\qwcEgcoc.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\uWwcQwAg.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\BiMQkgAU.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\BiMQkgAU.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\YeIEksAQ.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\BiMQkgAU.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\YeIEksAQ.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\BiMQkgAU.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\pWgUoMoA.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\NysQAAgk.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\xIAwAEcI.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\xIAwAEcI.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cckYgcAo.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NysQAAgk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\cckYgcAo.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\NysQAAgk.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\ukoQQIUg.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ukoQQIUg.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\WcMkEMUk.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\WcMkEMUk.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\ROAIQUsk.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\gAcQIwII.bat
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\LasockIY.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\LasockIY.bat
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\gAcQIwII.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\FSkMQYAU.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ROAIQUsk.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\FSkMQYAU.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\ROAIQUsk.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\pUQcowIE.bat
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Creates ProcessC:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\118ed170ae63396d452d5a933c74b700cf1c8a11
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RqIkwMMU.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ZMQMEwEw.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\RqIkwMMU.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\118ed170ae63396d452d5a933c74b700cf1c8a11"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\ZMQMEwEw.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileQwwM.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileGMge.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates Fileowgk.exe
Creates FileKQoe.exe
Creates FileEsMW.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileYQEg.exe
Creates FileUMgo.exe
Creates FilegYMy.ico
Creates FilegQgq.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileaAAO.exe
Creates FilecgwW.ico
Creates FileMosI.ico
Creates FilekMIE.ico
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FilegsoI.exe
Creates FileC:\RCX5.tmp
Creates FileC:\RCX3.tmp
Creates FileAkMk.ico
Creates FileUocS.ico
Creates FileUgcK.ico
Creates FilekosK.ico
Creates FilemcES.exe
Creates FilecwYM.exe
Creates FileIAoG.exe
Creates FileC:\RCX10.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.inf
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FilegMwA.exe
Creates FileC:\RCXF.tmp
Creates FileYAAo.ico
Creates FileIUMk.exe
Creates FileC:\RCX12.tmp
Creates FilecQoK.exe
Creates FileWMMW.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileYMIs.ico
Creates FilegMkE.ico
Creates FileC:\RCXD.tmp
Creates FileYwQO.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\RCX18.tmp
Creates FilekEom.exe
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX6.tmp
Creates FileUwwe.ico
Creates FileiQsy.ico
Creates FileC:\RCXE.tmp
Creates FileC:\RCXA.tmp
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FilescgC.exe
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileIMwE.exe
Creates FileC:\RCXC.tmp
Creates FileC:\RCX19.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileQQYg.exe
Creates FileEUIW.ico
Creates FileC:\RCX1C.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FileDEwS.exe
Creates FileC:\RCX1A.tmp
Creates FileoEUy.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FilePIPE\wkssvc
Creates FilegMcq.exe
Creates FileC:\RCX8.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FilesIMS.exe
Creates FileaoII.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileC:\RCX1D.tmp
Creates FileQsUk.ico
Creates FileAwEw.ico
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileMgQW.ico
Creates FileQQYe.ico
Creates FilewAAM.ico
Creates FileQkEo.ico
Creates FileMAYo.ico
Creates FileMcco.exe
Creates FilewUIM.exe
Creates FileC:\RCX16.tmp
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileQEIY.exe
Creates FilesMgG.ico
Creates FileUMMW.ico
Creates FileeEou.ico
Creates FileEwIg.exe
Creates FileC:\RCX17.tmp
Creates FileMUQI.ico
Creates FileQogU.ico
Creates FileC:\RCX4.tmp
Creates FilecMYe.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FilegcgK.exe
Creates FilewAQa.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Deletes FileQwwM.exe
Deletes FileGMge.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes Fileowgk.exe
Deletes FileKQoe.exe
Deletes FileEsMW.exe
Deletes FileYQEg.exe
Deletes FileUMgo.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FilegYMy.ico
Deletes FilegQgq.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileaAAO.exe
Deletes FilecgwW.ico
Deletes FileMosI.ico
Deletes FilekMIE.ico
Deletes FilegsoI.exe
Deletes FileAkMk.ico
Deletes FileUocS.ico
Deletes FileUgcK.ico
Deletes FilekosK.ico
Deletes FilemcES.exe
Deletes FilecwYM.exe
Deletes FileIAoG.exe
Deletes FilegMwA.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileYAAo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileIUMk.exe
Deletes FilecQoK.exe
Deletes FileWMMW.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileYMIs.ico
Deletes FilegMkE.ico
Deletes FileYwQO.exe
Deletes FilekEom.exe
Deletes FileUwwe.ico
Deletes FileiQsy.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FilescgC.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileIMwE.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileQQYg.exe
Deletes FileEUIW.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileDEwS.exe
Deletes FileoEUy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FilegMcq.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FilesIMS.exe
Deletes FileaoII.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileQsUk.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileAwEw.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileQQYe.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileQkEo.ico
Deletes FilewAAM.ico
Deletes FileMcco.exe
Deletes FileMAYo.ico
Deletes FilesMgG.ico
Deletes FileQEIY.exe
Deletes FileUMMW.ico
Deletes FileeEou.ico
Deletes FileEwIg.exe
Deletes FileMUQI.ico
Deletes FileQogU.ico
Deletes FilecMYe.ico
Deletes FilegcgK.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FilewAQa.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.inf
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ Pid 3816

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\118ed170ae63396d452d5a933c74b700cf1c8a11"

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ C:\118ed170ae63396d452d5a933c74b700cf1c8a11

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network Details:

DNSgoogle.com
Type: A
173.194.125.65
DNSgoogle.com
Type: A
173.194.125.66
DNSgoogle.com
Type: A
173.194.125.67
DNSgoogle.com
Type: A
173.194.125.68
DNSgoogle.com
Type: A
173.194.125.69
DNSgoogle.com
Type: A
173.194.125.70
DNSgoogle.com
Type: A
173.194.125.71
DNSgoogle.com
Type: A
173.194.125.72
DNSgoogle.com
Type: A
173.194.125.73
DNSgoogle.com
Type: A
173.194.125.78
DNSgoogle.com
Type: A
173.194.125.64
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1032 ➝ 173.194.125.65:80
Flows TCP192.168.1.1:1033 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1034 ➝ 173.194.125.65:80
Flows TCP192.168.1.1:1035 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1036 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1037 ➝ 190.186.45.170:9999
Flows TCP192.168.1.1:1038 ➝ 190.186.45.170:9999

Raw Pcap
0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .


Strings
c
.e..
C.|.
..

$09l.'#x
0aj10	
0brt8 
 <1)gG
29^we{
&}"2t-"0
3g+tNz
42m-.:
4/8Bhe
'5#lF0G
!~6Mm!S
!7fmc@s
7.HBiy
8gcANR
8{j%=<oM
}8snY{
92rRy;
&9_E|9
9$NccW
9$Y"9k&
AAeOU4
A_d>Sl|
arR`arR
aTg	"wZ
B98b?-M
b)}{c~
cc0.~8F|
cd>[lu
Cd>[lu
CDVPQQ8
^cDzT"
! cG,4
c"i!&.i!&v
cK|D3.
cuD]fr
<D8lxe|
DJ>1>Y
_d>Klf
dq<kb1
eHa]Y"
ej|-"}
ej_] }
ej^pf}g
ejUd[}
ekd56}
ekgf#}
ek}Hq}
ek.oe}
ekoQD}
{{eU	-
f/c=Oo
#FF=!*
{)f#mV i
Gd>Sl|
g]WNcV
(Ht]}9
'hvObs
h\ zUz
 i3XgFB
i8OAez;
>Ian\h
!i{~dP
@i!HO$
I&IrVV
irRHerR[ApR
&i,wS52
(j|$?|
J5*v^Q
j9<Mey
J\ay7;$
jHO|Ea
j JxU~
~JqaKs
jqIE3}.ZS#
kB3	&B6
Kd>Klf
K|S39,
$k^{	v
~	lv^I
!m68`PK
M>m\X+h
ms:I@Gs
$;Naok
|nHAaXw
NSYSKb
Od>Klf
Od>Sl|
o&J`VO
ONgGONaAONck
'' pDp
/^P*Pq
+~pqaKA
q95qez
q	dwii
QIdef3e
qp	O=5
qS_(kd>Klf
qsoKW)
qy7YqB@$ G
qZPqWn
Rich!4O
RIdef3g
Rj7-c#
sd>[lu
Sd>[lu
s]E}Ch
SKmxhN
{Sl4N7
s^P{Rk
^t8>pe
t)}9tcZ
!This program cannot be run in DOS mode.
TIdef3g
TU<aq&9
tV<Jos9
u0:SI$c
>U9A>D
Uos9}$
U'pDPb
uPSjy'
VEDv?R
V[h}Eu
&"W8U'
w#evXa
. wxic
X15Wd>Sl|
=x!A@O
x	KUv|
\y7CbY
y83w\<
y9!Cez
Y9_wY{
Y )@:gsn
_Ymw\c
!z5dbZ
.zpL+/