Analysis Date2015-07-27 15:53:01
MD5eeb7a03b92fd37db1f9b5547457ff6b2
SHA12f91dff85a1ee466501d2683a01a6b2df9a23a4a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dc0bc95d1f68f5f221fa7b19d52c31b0 sha1: 01e27ecf0db0facc77905ac6c487873ab62b1475 size: 1009664
Section.rdata md5: 60227fb1de233c103afcb50d32263218 sha1: ba8eabe2dfa0744529be23f8b132e50dbc0fded6 size: 512
Section.data md5: 4e270717d9ca16bff7d2429ad27de69e sha1: da86ea4909721c10e284f2af34603796ff505571 size: 512
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp2015-02-07 09:53:36
PEhashbaed2efc5e996c786c94de01fa302ea857d7dd1e
IMPhasha223789e1df3239afd32265971788546
AVRisingTrojan.Win32.PolyRansom.a
AVMcafeeW32/VirRansom.b
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVTwisterW32.PolyRansom.b.brnk.mg
AVAd-AwareWin32.Virlock.Gen.2
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Virlock.I virus
AVGrisoft (avg)LockScreen.BO
AVSymantecno_virus
AVFortinetW32/Zegost.ATDB!tr
AVBitDefenderWin32.Virlock.Gen.2
AVK7Trojan ( 0040fa481 )
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.2
AVMalwareBytesno_virus
AVAuthentiumW32/S-4ad0513c!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusno_virus
AVEmsisoftWin32.Virlock.Gen.2
AVZillya!Virus.Virlock.Win32.1
AVKasperskyVirus.Win32.PolyRansom.b
AVTrend Microno_virus
AVCAT (quickheal)Error Scanning File
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardWin32.Virlock.Gen.2
AVArcabit (arcavir)Win32.Virlock.Gen.2
AVClamAVno_virus
AVDr. WebWin32.VirLock.10
AVF-SecureWin32.Virlock.Gen.2
AVCA (E-Trust Ino)Win32/Nabucur.C

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe,
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\jSQAIocE.bat
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\degEggwM.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\degEggwM.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\jSQAIocE.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Process"C:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ C:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a

Creates FilePIPE\samr
Creates FileC:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ucwoQkcE.bat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\IiAAIkcE.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ucwoQkcE.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\IiAAIkcE.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a"

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a

Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\mAAcQYIw.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\FmUQYccg.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\mAAcQYIw.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\FmUQYccg.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\mWQAQsQg.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\usAUoEEU.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\usAUoEEU.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\mWQAQsQg.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a"

Creates ProcessC:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\jSQAIocE.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\jSQAIocE.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\FmUQYccg.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a"

Creates ProcessC:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\IiAAIkcE.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a"

Creates ProcessC:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\mWQAQsQg.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\mWQAQsQg.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a"

Creates ProcessC:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a

Process
↳ C:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\eIAAUUww.bat
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex$1@
Creates Mutex\\x141@
Creates Mutex,1@
Creates Mutex41@
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA
Creates Mutex\\x1c1@

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileoAgg.ico
Creates FileC:\RCX9.tmp
Creates FilekYoU.ico
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileQYoY.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileMsgi.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FilesUYu.exe
Creates FileosYk.ico
Creates FileMcIc.exe
Creates FileC:\RCX8.tmp
Creates FileC:\RCX5.tmp
Creates FileAQMo.ico
Creates FileIIES.exe
Creates FileC:\RCX3.tmp
Creates FileYkYc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileosAA.ico
Creates FileUOog.ico
Creates FilegAAQ.exe
Creates FileYwck.ico
Creates FilegMoU.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FilegcQQ.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileIYoM.exe
Creates FileC:\RCX7.tmp
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FilesMUy.exe
Creates FilecYEu.exe
Creates FileC:\RCX6.tmp
Creates FileC:\RCXA.tmp
Creates FileAoQc.exe
Creates FileC:\RCX4.tmp
Creates FilegUwU.exe
Creates FileC:\RCXC.tmp
Creates FileEswu.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FilecKsg.ico
Creates FilecmYo.ico
Deletes FileoAgg.ico
Deletes FilekYoU.ico
Deletes FileQYoY.ico
Deletes FilegcQQ.exe
Deletes FileIYoM.exe
Deletes FilesUYu.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileosYk.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FilecYEu.exe
Deletes FilesMUy.exe
Deletes FileMcIc.exe
Deletes FileAoQc.exe
Deletes FileAQMo.ico
Deletes FileIIES.exe
Deletes FileYkYc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FilegUwU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileosAA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FilegAAQ.exe
Deletes FileEswu.exe
Deletes FileYwck.ico
Deletes FilegMoU.ico
Deletes FilecKsg.ico
Deletes FilecmYo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Creates Mutex$1@
Creates Mutex\\x141@
Creates Mutex,1@
Creates Mutex41@
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA
Creates Mutex\\x1c1@

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1920

Process
↳ Pid 1224

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\2f91dff85a1ee466501d2683a01a6b2df9a23a4a

Network Details:

DNSblock.io
Type: A
104.237.132.39
DNSgoogle.com
Type: A
173.194.46.78
DNSgoogle.com
Type: A
173.194.46.73
DNSgoogle.com
Type: A
173.194.46.72
DNSgoogle.com
Type: A
173.194.46.71
DNSgoogle.com
Type: A
173.194.46.70
DNSgoogle.com
Type: A
173.194.46.69
DNSgoogle.com
Type: A
173.194.46.68
DNSgoogle.com
Type: A
173.194.46.67
DNSgoogle.com
Type: A
173.194.46.66
DNSgoogle.com
Type: A
173.194.46.65
DNSgoogle.com
Type: A
173.194.46.64
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1032 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1033 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1034 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1035 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1036 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1037 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1038 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1039 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1040 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1041 ➝ 173.194.46.78:80
Flows TCP192.168.1.1:1042 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1043 ➝ 173.194.46.78:80
Flows TCP192.168.1.1:1044 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1045 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1046 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1047 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1048 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1049 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1050 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1051 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1052 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1053 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1054 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1055 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1056 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1057 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1058 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1059 ➝ 104.237.132.39:443

Raw Pcap
0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a 7da913d7 ec5653              ....}....VS

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....


Strings