Analysis Date2014-12-05 09:44:11
MD527dbab46ddfffb4c2e86a0488f845cde
SHA13622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash145e623aa299dbbff35de58bda2996f24f96eb73
IMPhash
AV360 SafeTrojan.Obfus.3.Gen
AVAd-AwareTrojan.Obfus.3.Gen
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.APGJ-1430
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardTrojan.Obfus.3.Gen
AVCA (E-Trust Ino)Win32/Nabucur.A
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Obfus.3.Gen
AVEset (nod32)Win32/Virlock.G virus
AVFortinetW32/Agent.NCA
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Obfus.3.Gen
AVGrisoft (avg)Win32/Cryptor
AVIkarusWin32.Cryptor
AVK7Virus ( 0040f99a1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.VirLock
AVMcafeeTrojan-FFGO!27DBAB46DDFF
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.gen!A
AVMicroWorld (escan)Trojan.Obfus.3.Gen
AVNormanTrojan.Obfus.3.Gen
AVRisingno_virus
AVSophosW32/VirRnsm-A
AVSymantecSuspicious.MH690
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\QywkIcYM.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\KWQYIsAM.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\KWQYIsAM.bat
Creates ProcessC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\QywkIcYM.bat" "C:\malware.exe""
Creates ProcessC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\aCkkEMMk.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\cIUEckUI.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\cIUEckUI.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates ProcessC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Process
↳ C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NKQYQQMs.bat
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ByAEkoIg.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ByAEkoIg.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\NKQYQQMs.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates ProcessC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates ProcessC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\TosogwwI.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\PAMcwUQI.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\JwYQwQok.bat
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\euwkoQUY.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\JwYQwQok.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\euwkoQUY.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\TosogwwI.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rGksQYEg.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\rGksQYEg.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\TosogwwI.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PAMcwUQI.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vQwYoIcc.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\vQwYoIcc.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\PAMcwUQI.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates ProcessC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\fgMokIEY.bat" "C:\malware.exe""

Creates Process

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\hKYcUgEI.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\hKYcUgEI.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates Process

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates Process

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wOcUMsko.bat
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aAIYMAUs.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\aAIYMAUs.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\wOcUMsko.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\NKQYQQMs.bat" "C:\malware.exe""

Creates Process

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\TyEMcwMM.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fIYIcgME.bat
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\fIYIcgME.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\TyEMcwMM.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates ProcessC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates ProcessC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\LqAcAgoI.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aCkkEMMk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\LqAcAgoI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\aCkkEMMk.bat" "C:\malware.exe""
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\QoYsQssE.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hKYcUgEI.bat
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\QoYsQssE.bat
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\hKYcUgEI.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates ProcessC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates ProcessC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\hkoMUIIM.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fgMokIEY.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\YAIAoQYI.bat
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\YAIAoQYI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\fgMokIEY.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\HwMcswkk.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\NIQIMIsc.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\NIQIMIsc.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\euwkoQUY.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\kUEYQwgI.bat" "C:\malware.exe""

Creates Process

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\XeAIosYY.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hkoMUIIM.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\OUAwQQUA.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\OUAwQQUA.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\hkoMUIIM.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates ProcessC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Process
↳ C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dcMcgkIE.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\kUEYQwgI.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\dcMcgkIE.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\kUEYQwgI.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DYsIAEoE.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NIQIMIsc.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\DYsIAEoE.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\NIQIMIsc.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates ProcessC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates ProcessC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Process
↳ C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zGYwMoQM.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cIUEckUI.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\zGYwMoQM.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\cIUEckUI.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\quAkwEcQ.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HwMcswkk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\quAkwEcQ.bat
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\HwMcswkk.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\TyEMcwMM.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xcQMoIgU.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\XeAIosYY.bat
Creates FileC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\xcQMoIgU.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\XeAIosYY.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\wOcUMsko.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\wOcUMsko.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates ProcessC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\QywkIcYM.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\QywkIcYM.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d"

Creates ProcessC:\3622fa0a43ee964c58cd5a848563bbb9d18e2c4d

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FilemAIO.ico
Creates FileLUMm.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FilelAcY.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FiledwIu.ico
Creates FileNEwU.ico
Creates FilehEIK.ico
Creates FileC:\RCX2.tmp
Creates FilepIUW.ico
Creates FileZsYi.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileVwEA.ico
Creates FileBgYq.ico
Creates FileJEUq.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
Creates FileC:\RCX5.tmp
Creates FilelIok.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.inf
Creates FileC:\RCXF.tmp
Creates FilehYIe.exe
Creates FileC:\RCX12.tmp
Creates FilelgYC.ico
Creates FileFgAW.ico
Creates FilerQoM.ico
Creates FilehAcs.exe
Creates FiledQIq.ico
Creates FileC:\RCX18.tmp
Creates FileVkgm.ico
Creates Filedkok.exe
Creates FileC:\RCXE.tmp
Creates FilejwMG.exe
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FilecYUa.ico
Creates FilexIAK.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileZMkc.ico
Creates FilehAoy.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FileTcMw.ico
Creates FileNQAa.exe
Creates FilePIPE\wkssvc
Creates FilepcYm.exe
Creates FilehkIg.exe
Creates FileZAYa.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
Creates FileRMcy.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileC:\RCX1D.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FilelQAs.ico
Creates FileC:\RCX17.tmp
Creates FileVYIa.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FileVoog.ico
Creates FileNUkI.exe
Creates FiledkwS.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileRUci.exe
Creates FileXUkc.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FilezUIG.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileVIwC.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileNgco.ico
Creates FileNIAo.ico
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\RCX3.tmp
Creates FileZgoc.exe
Creates FileVwko.ico
Creates FileC:\RCX20.tmp
Creates FileVIgs.ico
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FilexEka.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileC:\RCXD.tmp
Creates Filexkco.exe
Creates FileLgYC.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1.tmp
Creates FilepoIs.exe
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FilefswY.ico
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileVMwA.ico
Creates FileC:\RCX21.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FilexAEI.exe
Creates FileC:\RCX19.tmp
Creates FileFskQ.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\RCX1C.tmp
Creates FileZQAS.exe
Creates FileC:\RCX1A.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileC:\RCX8.tmp
Creates FileBkYQ.exe
Creates FileJcIY.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileJEow.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileBwAI.ico
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileFoYE.exe
Creates FiletcUE.ico
Creates FilemAYk.ico
Creates FileNAYG.ico
Creates FileC:\RCX16.tmp
Creates FiletUgS.exe
Creates FileC:\RCX4.tmp
Creates FileBIMm.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FilejsMe.exe
Creates FileZkMG.ico
Deletes FilemAIO.ico
Deletes FileLUMm.exe
Deletes FilezUIG.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FilelAcY.exe
Deletes FileVIwC.exe
Deletes FiledwIu.ico
Deletes FileNEwU.ico
Deletes FilehEIK.ico
Deletes FilepIUW.ico
Deletes FileZsYi.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileVwEA.ico
Deletes FileBgYq.ico
Deletes FileNgco.ico
Deletes FileJEUq.ico
Deletes FileNIAo.ico
Deletes FilelIok.exe
Deletes FileVwko.ico
Deletes FileZgoc.exe
Deletes FileVIgs.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FilehYIe.exe
Deletes FilexEka.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FilelgYC.ico
Deletes FileFgAW.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FilerQoM.ico
Deletes FilehAcs.exe
Deletes FiledQIq.ico
Deletes FileLgYC.ico
Deletes Filexkco.exe
Deletes FilepoIs.exe
Deletes FileVkgm.ico
Deletes FilefswY.ico
Deletes Filedkok.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FilejwMG.exe
Deletes FilecYUa.ico
Deletes FilexIAK.ico
Deletes FileVMwA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FilexAEI.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileFskQ.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileZMkc.ico
Deletes FileZQAS.exe
Deletes FilehAoy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileTcMw.ico
Deletes FileNQAa.exe
Deletes FilepcYm.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FilehkIg.exe
Deletes FileBkYQ.exe
Deletes FileJcIY.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileZAYa.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileRMcy.ico
Deletes FileJEow.exe
Deletes FileBwAI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileFoYE.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FiletcUE.ico
Deletes FilemAYk.ico
Deletes FileNAYG.ico
Deletes FiletUgS.exe
Deletes FilelQAs.ico
Deletes FileVYIa.ico
Deletes FileVoog.ico
Deletes FileNUkI.exe
Deletes FileBIMm.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Deletes FilejsMe.exe
Deletes FiledkwS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileZkMG.ico
Deletes FileRUci.exe
Deletes FileXUkc.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.inf
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 3436 -e 1668 -g

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ Pid 1924

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\cscript.exe

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\cscript.exe

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 3436 -e 1668 -g

Network Details:

DNSgoogle.com
Type: A
173.194.125.0
DNSgoogle.com
Type: A
173.194.125.1
DNSgoogle.com
Type: A
173.194.125.2
DNSgoogle.com
Type: A
173.194.125.3
DNSgoogle.com
Type: A
173.194.125.4
DNSgoogle.com
Type: A
173.194.125.5
DNSgoogle.com
Type: A
173.194.125.6
DNSgoogle.com
Type: A
173.194.125.7
DNSgoogle.com
Type: A
173.194.125.8
DNSgoogle.com
Type: A
173.194.125.9
DNSgoogle.com
Type: A
173.194.125.14
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1032 ➝ 173.194.125.0:80
Flows TCP192.168.1.1:1033 ➝ 173.194.125.0:80
Flows TCP192.168.1.1:1034 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1035 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1036 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1037 ➝ 190.186.45.170:9999
Flows TCP192.168.1.1:1038 ➝ 190.186.45.170:9999

Raw Pcap
0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .


Strings

;05Xbc
*^0c&pj
0g6vU&=
|0%~|iGw^0%
.0;k=W
0Qc$eP
?10({h#
14Xf4f=	X[
&+1.Qr
)2;0.9( 
22k>OCx
2Hp"{h .
2W%;0W
2WFa;W
3oTb!+
3;ulqpdA
4 3b7!3"6
4!7&C 
)4^!au
`#5$o%
5_zNr1
6?f!n}
6GJP 8G
-6&lH!(
6 .tu0
7`0c&pj
$7707	
7`jy-pp
7}(K	G8
88Z]$|d
.?((">89
{8Hfkw&
8t^?qT
=97s.:
*:^9X3
A0_z=2
*.a3i	
A9 ym.p
AA!+Dd
A|a:hh
Ab	z'R&
AC4BzI
Ae!zF|"
A_~g]a<
AGa{D7
A{gGEx
(A{\:h
Ah~%?{
Ah!.{;
AhQEl9
AJ!:*:
AJf:`G
a"jSc#
]>aR9t
ASazf\mkD|!
Av!.~.0
Av!.fl
Av!.~k
Aw0j09
AxSZShch
+AZh~%?
A.\ZX%
b~7Ozr
B)a#((ba(
bG!+2&
BhG5Ay
B=PduY
BP>W'?{
BQ NMA5
BQ  <t
b#udne
!"/bvT
C3g%wq
c ARq;
&cC'z#
Cv#nHs
CXHZpH
c(!zg`$
D|0%~|0%~|0%~|0%~&Rho
d' @5"
>da`#5i
-}Dd9}@$9=E$9
^d"Dh!
d+EF!4
DHQpb!+
DMn:wG
>d@m*z
D#&!nk
D}nzUF
`d& .t
$due.$
$D;`]WJS){P
.dy!+Ph!
~(dzCl
.e1$/a
Ed9=E$9
!e#*sA
$/eu%o%
fh!klx
f.j:cA
fMjr4Q
G>>8$J
g+9;>bxG
GAPc]W
.gb	7y
+G*CKJ
Gd(2xp
GDPc]W
GdQ2_0[
gGY<GjP
gGY@GjP
gGY@GlP
G,H:\p
=`G$P2pp
	gU'Yz
:GWpBR
gy!+PJ!
H3FRI3
>h9:Nj
$h%b&,
HEBrc8KYM
~hE:Kj^
H~e~Qc
{&[h>n
h(!nryL|
h\OXn\[
H SXx$
h~%?xJ
@hy6c4
I3<cI3
I3<(I3Fn
I3<(I3Fo
.Ih!kD
i_V|~%
I.\ZX-
j2Tp,7
J6`2BU%
j^8y8Z
%Je2PjDc
J!kJ/W.
J!kK/`.
.JyD #
^k2h~%?{3
Kf9kd-^$
'k^>'h
KiL]C.
Kk8~k!yd
Kn\OX!U
kp7|*"|
K-U<Z.
K/U<Z.
{*/L^*
l[^Dn\\
lE{Bm%
ly+#0Z
'Md#.x
mz!k^y
/n<0%~
/n|0%~&Rnq
N8<t`Ep
nch!kl
>;nfsZ
n`h!k,
niz!k^9jd
n(!nny
n|\O:e
n&o%n%K
noz!k^
NP2\!hOL
ny!+P|!
N#zJ?L
O0$(#`
o"D(3:
oJOXM;'F
Os%Io"~
O#z-?L*v
'p]>'<
'p6ah!
Pf\$@3
&^pF7`
P,>f8q
Pmf.n[
P|p_AW
p#yT n
q1@"|d
q@@5<v
/Qh!.y
R.:{3D
RAFQzZG
Rich!4O
<r'-"(&le
rM.z(3
{}#R`p8
>(Rz6k^8}
 %~S0%
s@8|SOg
SbtZXh
s&,dJ 	
SJ(<7%
sJUAS \
Sk2h~%?y
	t0bO$
\TA!_z
tE.Kdf
!This program cannot be run in DOS mode.
T^;}Ig
tNf!nl
)u&!.~
u0K	& .~
^U~0YV
u$/%4%/
`#u$oe
'~;uWGip
\(UWX?
\.UWX|<pU
U!z0D:
/vJ+*,2
+v!nBb
v!.~Qp
v\tcuY
W1AQb!+
w2H3F#x
`W$ba^
w;eHah
WG*?KVP
WJh)xP
WJ%#xP
:Wj^yr
<"W_o3
WzZ*L3.
X.~8KK
x_()D|!
|Xg6SX
xHq@-+ 
!.xW9:
x*`ZG[
Y9TktZX{L
Y9TZrX
Y9UouY
YEY|y-
yp*$C$
Y#X8iS
Y=X'vS
!.yya*
Z^A]FD
ZaH%x[A
_zbk^F
z%j^y0
[Z& nq
zU^#kT
;'z}\w
ZZLn[]@-
Z#z(?L*vs@