Analysis Date2015-01-14 15:45:18
MD54d18afb5ec2288c903346cfa69c8b6ba
SHA13a1a56a0e487e967756ef2f1ebfdbc590edd407c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash0d8b266c77c522c41e889d3708420eefa86b67e3
IMPhash
AV360 Safeno_virus
AVAd-AwareTrojan.Obfus.3.Gen
AVAlwil (avast)VirLock-A:Win32:VirLock-A
AVArcabit (arcavir)Trojan.Obfus.3.Gen
AVAuthentiumW32/S-43a675a7!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen7
AVBullGuardTrojan.Obfus.3.Gen
AVCA (E-Trust Ino)Win32/Nabucur.A
AVCAT (quickheal)Ransom.VirLock.A2
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Obfus.3.Gen
AVEset (nod32)Win32/Virlock.G virus
AVFortinetW32/Agent.NCA
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Obfus.3.Gen
AVGrisoft (avg)Win32/Cryptor
AVIkarusVirus-Ransom.FileLocker
AVK7Virus ( 0040f99f1 )
AVKasperskyVirus.Win32.PolyRansom.a
AVMalwareBytesTrojan.Agent.RND1Gen
AVMcafeeTrojan-FFGO!4D18AFB5EC22
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.A
AVMicroWorld (escan)Trojan.Obfus.3.Gen
AVRisingno_virus
AVSophosW32/VirRnsm-A
AVSymantecW32.Ransomlock.AO!inf
AVTrend MicroPE_FINALDO.F
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PAwgwwUI.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\sswogQAs.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\PAwgwwUI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\sswogQAs.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates ProcessC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates ProcessC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\bGMsAkoM.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\kMIAIowo.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\kMIAIowo.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\bGMsAkoM.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MAcMQAQM.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\OoQEQgAo.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\OoQEQgAo.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\MAcMQAQM.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\uYIscEwk.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\uYIscEwk.bat
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WgcYUEAI.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\WgcYUEAI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\uYIscEwk.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\VkAkoogI.bat
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\oewIgIgs.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\oewIgIgs.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\VkAkoogI.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\iqsccgUM.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\IUYwsUYM.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\IUYwsUYM.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\iqsccgUM.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fOIAIsEI.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HWQAwAYU.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\HWQAwAYU.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\fOIAIsEI.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\fOIAIsEI.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\fOIAIsEI.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\OCsQMUoQ.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\OCsQMUoQ.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PWsEQwsU.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fWkowAUk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\fWkowAUk.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\PWsEQwsU.bat" "C:\malware.exe""
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PUsAUkME.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DmgYUQog.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\PUsAUkME.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\DmgYUQog.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\vuAwEQgY.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\MAcMQAQM.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\VMwgQQkU.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\jmAskssE.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\jmAskssE.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\VMwgQQkU.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\iqsccgUM.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\JyYQUMQk.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\OCsQMUoQ.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\KMYwIIIs.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\KMYwIIIs.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\OCsQMUoQ.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\YsUIsEQs.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\IUUIQggE.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\YsUIsEQs.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\PWsEQwsU.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wacIwwck.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\JyYQUMQk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\wacIwwck.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\JyYQUMQk.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\YeYQsEkI.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\BsEQgAwA.bat
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\yCosoYsk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\yCosoYsk.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\BsEQgAwA.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\VMwgQQkU.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\kMUUwwwQ.bat
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hqoMUUEM.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\kMUUwwwQ.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\hqoMUUEM.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\sswogQAs.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\sswogQAs.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\DmgYUQog.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\YeYQsEkI.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csIIwwQI.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\csIIwwQI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\YeYQsEkI.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vuAwEQgY.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\FYMEgoYk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\FYMEgoYk.bat
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\vuAwEQgY.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qskoQUkw.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\XAwMAUss.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\XAwMAUss.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\qskoQUkw.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\GuwAwAAU.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\QIcEckIE.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\QIcEckIE.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\GuwAwAAU.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\BsEQgAwA.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\GuwAwAAU.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates Process

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\qskoQUkw.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 3996 -e 132 -g

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\bGMsAkoM.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Creates ProcessC:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileGYUk.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileewwK.ico
Creates FileC:\RCX5.tmp
Creates FileyEQS.ico
Creates FileiQQg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.inf
Creates FileWQkA.exe
Creates FileuMci.ico
Creates FileC:\RCXF.tmp
Creates FileC:\RCX12.tmp
Creates FileqkAW.exe
Creates FileCwkW.exe
Creates FileksgK.ico
Creates FileC:\RCX18.tmp
Creates FileC:\RCXE.tmp
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileKoMu.exe
Creates FileaIAC.ico
Creates FileMwcO.ico
Creates FileWYga.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileSoss.exe
Creates FileOYQw.ico
Creates FileWkQE.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FileIckw.ico
Creates FileqEYK.exe
Creates FilePIPE\wkssvc
Creates FileSMkg.ico
Creates FileKMoa.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileyssW.exe
Creates FileC:\RCX1D.tmp
Creates FileuQwu.ico
Creates FilegkEY.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileKwsG.exe
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileC:\RCX17.tmp
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FileqQYE.ico
Creates FilemQIO.exe
Creates FileioYW.exe
Creates FileaoMY.exe
Creates FileewcM.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileGAgU.exe
Creates FileqgwW.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileSIIO.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileWIQM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileewEw.exe
Creates FileWUYO.ico
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\RCX3.tmp
Creates FileAIIe.exe
Creates FileWYQY.exe
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileMIEa.ico
Creates FilegIYM.exe
Creates FileKcgO.exe
Creates FileuwQK.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileocYG.ico
Creates FileuwkE.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileyoUW.exe
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates FileGMMm.ico
Creates FileC:\RCX13.tmp
Creates FileIYgk.ico
Creates FileC:\RCX11.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\RCX19.tmp
Creates FileKUIY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileQIAA.ico
Creates FileKAYi.exe
Creates FileC:\RCX1C.tmp
Creates FileKsMG.ico
Creates FileC:\RCX1A.tmp
Creates FilemgQk.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileC:\RCX8.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileeoAI.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileOgAC.ico
Creates FileUkYS.exe
Creates FileGYAI.ico
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileykoO.ico
Creates FileXsgM.exe
Creates FileC:\RCX16.tmp
Creates FileOAsM.exe
Creates FilemUsO.ico
Creates FileigUq.exe
Creates FileOwsi.ico
Creates FileC:\RCX4.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileyYgK.ico
Deletes FileSIIO.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileWIQM.ico
Deletes FileGYUk.exe
Deletes FileWUYO.ico
Deletes FileewEw.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileewwK.ico
Deletes FileyEQS.ico
Deletes FileAIIe.exe
Deletes FileWYQY.exe
Deletes FileiQQg.exe
Deletes FilegIYM.exe
Deletes FileMIEa.ico
Deletes FileWQkA.exe
Deletes FileuMci.ico
Deletes FileKcgO.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileuwQK.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileqkAW.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FileuwkE.ico
Deletes FileocYG.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileCwkW.exe
Deletes FileksgK.ico
Deletes FileyoUW.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileKoMu.exe
Deletes FileaIAC.ico
Deletes FileMwcO.ico
Deletes FileGMMm.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileIYgk.ico
Deletes FileWYga.ico
Deletes FileSoss.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileKUIY.exe
Deletes FileWkQE.exe
Deletes FileQIAA.ico
Deletes FileKAYi.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileIckw.ico
Deletes FileqEYK.exe
Deletes FileKsMG.ico
Deletes FilemgQk.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileSMkg.ico
Deletes FileeoAI.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileKMoa.exe
Deletes FileOgAC.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileUkYS.exe
Deletes FileyssW.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileuQwu.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileGYAI.ico
Deletes FilegkEY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileXsgM.exe
Deletes FileykoO.ico
Deletes FileOAsM.exe
Deletes FileKwsG.exe
Deletes FilemUsO.ico
Deletes FileigUq.exe
Deletes FileOwsi.ico
Deletes FileqQYE.ico
Deletes FilemQIO.exe
Deletes FileioYW.exe
Deletes FileaoMY.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileewcM.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileyYgK.ico
Deletes FileqgwW.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileGAgU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.inf
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\VkAkoogI.bat" "C:\malware.exe""

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\hqoMUUEM.bat" "C:\malware.exe""

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c

Process
↳ "C:\3a1a56a0e487e967756ef2f1ebfdbc590edd407c"

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ Pid 2856

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 3996 -e 132 -g

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Network Details:

DNSgoogle.com
Type: A
173.194.125.67
DNSgoogle.com
Type: A
173.194.125.68
DNSgoogle.com
Type: A
173.194.125.69
DNSgoogle.com
Type: A
173.194.125.70
DNSgoogle.com
Type: A
173.194.125.71
DNSgoogle.com
Type: A
173.194.125.72
DNSgoogle.com
Type: A
173.194.125.73
DNSgoogle.com
Type: A
173.194.125.78
DNSgoogle.com
Type: A
173.194.125.64
DNSgoogle.com
Type: A
173.194.125.65
DNSgoogle.com
Type: A
173.194.125.66
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1032 ➝ 173.194.125.67:80
Flows TCP192.168.1.1:1033 ➝ 173.194.125.67:80
Flows TCP192.168.1.1:1034 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1035 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1036 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1037 ➝ 190.186.45.170:9999
Flows TCP192.168.1.1:1038 ➝ 190.186.45.170:9999

Raw Pcap
0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .


Strings
Q
}
_
llll'
l
P
E

02<0Dg\
0Dg\PDg\
)){0( J!!
0pG=)x
1< Dg\
1\}fNd
1g3]Yo9}qe3
1l9Wkm
%!1S*a
:1WE=aE4
`2T(WR
2vHu kN
2W7Q_P
=	'3]{
)'3Mq}
3p~#Y:P
	'3]SF[E
'3u1u#mi7C
3u#Ei7C
'3]x_k]"t;-
3`~#Y:P
	'3]yw
^-3yxf
|~3ZP55
4`2|`Q
485zR}
4knV'A>
,4XP?1
=4$/yV
5	'3];
+5"$3-	o
+5"$3-	oRu
{5"D3-c'
+5"D*-9
5suJ%aG
+5"t;-
5Xd]hQ
5xEN2R
|5XP?1
)	5,(YOr'
#6O|Dg\
6"O{~*F2
6)UFd~
6	wK%a'
7Co	'3]Y
+7d/DrR
#=|+7d;n0t@(r
*8lecqmd
	8R^^{
8S>hT}V
9g+&JG
9mI%Qo
9*qtv'x
9t#x;r
A7`N*^"
AbHD>r
:A}>fD
[<AG+Nj
Ag\PDg\
A?`ni4k
aO$^e8A
AO`nYL
aOt~@LH
aT#&&k
AvnHvrlx@
)AvnHvZ`I>r$lB
Avn@v	Tn
Avn@vY6,
A<@`+W
axz ]Oz
B2Pptp
b4"d2,
 Bc~bE&
'bF#&flkYwl#~bn{">
 bg5 jg
BJV'9fN
b\pDg\
b+'Q?!
 &b,s%
\b"uHu0"
,-bV:=$,
BWhUpG
bX> RT
BZVD,j`
BZVD,z`FGrl
C<	'3]
$C}6dT
cE"dK-	
ceL/_]
:cFFrt
;_CG1GC
cGg\xDg\
C?	Ok]3g
Crl@F}|B
{~C}vn
cV=sSW=s
C?x_k]s%2%
cY0Dg\
cyDd~?pJR
C/Yo!equ:MY
"D3-c'
d\8Dg\
dbf?L)
d\`Dg\
DdYf,I
D#E%YD
d~ggYR
Dg;i,;
Dg\PDg
Dg\PDg\
d\HDg\
DmFnAIf
DmFnEIf
DmFnFIf
DmFnFIf?`
DmFnFIfg`
DmFn]If
DmFnQIf
DmFnUIfo`+
dm|vnXz$4
dn	Q;W%ifV'A
?Do"B&
DO!oII
dqB'Z]
&"dT\|
DvnH~rl
	DvnHz
	DvnHz$f@~
	DvnXz
d!Ww:L
d~W{ZR
dX8Dg\
DXxDg\
e1g3]Y
E	'3]{
E	'3]{OcEY
eB<P T<
EcGkEq
Eg\0-;
;E)Gc]s
Eg\(Dg\
egECdY
eG<P 4>
#Ei7k=
EIoY5Yw
Ekg3E{w[E
Elq^66
'#Eq}k%
'#Eq}k%k/KEIGc
ER?I[P
EVrlXB}
ezdV'QfV
e[Z-WB
#Fbl@FZ
FDdYNDK3
FdY^~K
Fg\@Dg\
"Fg\hDg\
Fg\hDg\
FHhBnf
FHhBnfjYNr4
FHhBnf*_Nr4
FHhBnfzNNr4
FHhBnn:ENr4,FHhB
!fl{1>kK
'fl fg,s%
#&fl#&fl#&fl#&fl#&&k
#fl{q^j
[}fux"
fV'A-z&afV
#fYh.&~
#Fzl@F
G3MYo)
gcb}H3
<GDdY&
g\ Dg\
GEhBnul@
Gg\8Dg\
GHhBnVL
GHhBnVLA^
GHhBnVLA^^
GHhBnVLAOrl8Z
\GIt?<
gJR'yE
{~"Gkf3EQg+N
gL#&>h
gmYDg\
g{n[H3
g- Rg% 
gs}SHo
GsuJ%yOK5"t:-k
@g\xDg\
?{~[H3
]}^[H3
hB<l@f
hBtl@f
hBvl@f^
\hBv\P
hBwl@^
hBzl@F
Hd~gQIR
hDvnHz
hDvnHz4s@V*
hDvnHzLb@N*
hDvnHzLu@V*
hDvnXz$4
H#&fD;
HhBn~*FNr4
HhBn~RYNr4
HhBnVL
HhBnVL!Orl
HH{p3iA
=.H.j;
@Hk(CDq
HKnSl@lOL1Jm
HKnSl(oOL1Jm
Hl~'dD#&flO
hls%$o
hLvnHz,`@N*
hLvnXz
hLvnXz$4
H>r4,FHhBn~
#hY`e2
I'3mq}
iAvn vZ8F>r
iAvnxw
iAvnxwa
iAvnxwZ
iDvnHzR
idvnHzR-Ffr
iDvnHzR-Ffr
iDvnHzR}Ifr
iDvnHzR}Nfr
iDvnHzRuIfr
idvnHzRUYfr
iDvnHzR%Zfr
iDvnXzR
iDvnXzR=8b
iDvnXzR]:b
iDvnXzRm8b
i-e\xDg\
}I<@/f,
{?(Ii+
i'K5qu;%
i/kMy'k5
i/kMy'k5"
iL&55&(^k;
;}IoQ4
irx?TY
iTvnHzR
itvnHzR-Ffr
iu6U)&
i$vnHzR
i$vnHzR-_fr
i$vnHzRM\fr
i$vnHzRmJfr
i$vnHzRMWfr
i$vnHzRUVfr
i$vnHzR-Vfr
i$vnXzRm8b
:~%	}j
j2oG\D
J51'3]
J5Yo@~rl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl
jcew+"%
jEQo)4
]J<#&fl
jH`G	@
JR?MjR}V
\(_JRP
J*rZv@
'$^}#&>k:
K5	'3]
K5	'3]c&
_k5q%b
K]9g3e[
Kd~GcXR'
kEYwCW
kEYw#W
kf3EQg+N
KKd~_MHRo
Kmkf3E
'KMql@&rl@Frl@Frl@Frl@Frl@Frl@Frl@
kMsu"5i7C
'KM"t;-
}KmYOC
kOL1Jm
Kp,{N|n
KQ@\oL
k>r4lD*
KV7y^P
\Kw37y
k=y'3}k
KZ4	Ih
l'$>{:
l0( {0( 
l7d;+s
L8fB_8
l#&fl#&fl#&fl#&fl
lf\pDg\
>"l ,)GSLh
>"l ,ig#=c&
}~LnEB
lOL1Jm
:lPna<8
lq	2G+	
L(YOr2
m	'3]"
;M	'3]IG3O	
;M	'3]IGCO8
M;6iL+N
MBg\P4
/mBnrl@F
MDNKpC
m'$f|#&^j
m'$f|#&^j#4bF#&fl
Mfv@"fZ8R
m)|)GCO
Mi/3o	
mMf[H!9F
m'$nl#&6os
m'$nl#&&o-"d
;MQi{Pd
mqu;mYo	eq
Mrn)AmE
msRJruu
';M"tJ-yOK5s
mYo	5q
nB*:/#0z
NHhBnf
NHhBnf*KNr4
n`'$n|#&>k
@Nrl8V&f@n*@
|NR'QG
n!*S5<
Nw.DDdY~t
Nxn{Du
nYOj-	
`nYOJxV
o4oY-qt
O]8Dg\
O8S~\8
	oAwsmAGsmAGsmAGc'
Ob(	@1
Ob(	 3
OCOYo)d9
o`fBOXw
OfZT(WR
oHhBnVL
oHhBnVLa]^
oHhBnVLAJrl8R
oHhBnVLALrl8J
oHhBnVL!Orl8J
oHhBnVLyOrl8Z
O=HKnSlH
O!I@dY
oIMC'3Eq
oiMi/K
oI%Qo)4
{OL1Jm
OMHKnSl
O{N[H!
o*pthFAhB
oQ~-A}F
O!qe~7
oQNO\}
OR71]P
OR7"YO
%osvf{(z
o?U[Po
o'$~x*2b
oY|AG#O
oy.[hQ
oYOR72
Oz04vz
)p~`^;
p4,VHhBn~
p$7Qrl@Z
p$7RrlXb[[D
p$7Trl@J
(P7y^P
 p[, 8
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
pADdY~
pc5=pS?
pdCUqh@
pddF3b@f
pddF3j@f
pddF3s@f
pddFcb@f
pddFC}@f
pddFCf@f
pddF#f@f
pddFKu@f
pddFSd@f
pddFsf@f
pddFsx@f
pd@Fr4dE3L;brl@njHfFIB$J
\&]pDg\
pdL@cl@
pdL@dl@
pdL@~l@
pdL@|l@~
pdL@zl@
pdL@zl@6
pd[R[[D
pdT@cl@
pdT@dl@
pdT@kl@~
pdt@~l@
pdT@{l@&
pdT@}l@
pdT@|l@V
pdT@ml@
pdt@ul@v
pdt@xl@N
pdT@zl@
pd|@ul@
pd|@xl@
P$E%IH
PH!1[P
PR71^P
PR7Q^P
pt]N|n(BKlN
p~@^;V
pVDJ15Lh
P~`WR~@
p$wRrlHr[[D
p>xI!1c~?|XR/
Q	2/+	
=q%3mY
q3W]e/
Q8R:j`~
Q&E%!O
Q-e\xDg\
QfV'AfV'AfV'AfV'A
QgCO8Ok
Qg(WjI
Q'If.WB 
';]qmA7sE3Ec'
%Qo9mq
]QoQmq
qrl8FNj@n
%qu"5i7C
qu;5Yo
quJm1'k
'Q}vux
QX&+xs
:\;Qz\
R-~4[[
r/4W?q_P
R}6UD|
rcV]rsT
Rich!4O
_rj_R/
rl@F5h@
rl@F9@Afrl
rl@Frl@Frl@Frl@Frl@Frl@F
rl@Frl@Frl@Frl@Frl@Frl@Frl@
rl@Frl@Frl@Frl@Frl@Frl@Frl@6rl@Frl@Frl@Frl@Frl@Frl@F
rl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@Frl@FrdrEY
rl@Frl@Frl@Frl@Fzl@Frl@F
rl@FVJ
rm|Pk|
[(_:RP
\(_"RP
.rP!&fl#&
rSHk1pun
r[TercT
R}VCSy6{
r{V%ssV
#-s]:%
sbm|g<j
_+sCvV
S<cVw>[P'
=sE3Ec'
sEYG+vj
sEYG#wk
;S`|HK 
SRBnd\
SRD		8
"sSO,*
su#%i7C
suJuYo)w
SW~[\)
szpl@Fr4lDj
}{t[(_
Ter+TUr
T^]hDg\
!This program cannot be run in DOS mode.
&tP!&fl#
T(WR_P
u;5q,:-q
U#=ag#=9
Ue\HDg\
;U!.fl#~Bob
Ui+BCnz
u !nJm0"d
UPGpCq}
u-PKu-P
u=sc&=s
u=scV=s{V=s
U}V[H3
V05 	\
VDlbl@FJB
VDlzl@F*;x@
v;E9g+
VL1] w
VLaX0oA
VL!Krl8J
VL!Orl8J
VLqIrl8B
vmPKu-P
vn@~!,
@vnHvZ`F>r
@vnHvZ@J>r
vnHzLu@N*
vnHzR}Dfr
vnHzR=Efr
vnHzR-Efr
vnHzR%Efr
vnHzReJfr
vnHzR]Gfr
vnHzR}Ifr
vnHzR=Jfr
vnHzRMHfr
vnHzRmJfr
vnHzRuKfr
vnHztu@N*
vn@~I\n
vn@vq4,
vn`vrl
@vn`vZ(F>r
|vnX~\P
vnXvrl
vnXzR=
vnXzR]
vnXzR=8b
v=Q;u5P
{V=sCW
V\$wzpd@Fr
V;Y7zs
vZpl8F
vZpl8Fnh@n
vZpt8F
vZpt8FVj@n
wc\ Dg\
wcxvNqMD
wEj1at?
W]eKWep3
W]eKWEp3
Weq2WU
WeqRWU
Weq:WU
Weq"WU
Weq*WU
WeqZWU
W]eSW]p3
W]e+W-p2
WHhBnVL
WHhBnVL)\
WHhBnVLi^
WHhBnVL!Jrl
WHhBnVL!Orl
WHhBnVLqOrl8R
;W%ifV'IBuf
wOL1Jm
wP3nqG
wP!Ffl#~)n
wP!.fl#~Ql9
W-p[TEvB
Ws@_WsF
Wy6[H3
wz@pcz
\$wzpd@Fr
%wZpl8FfD@n
x#	2(Y
xB6Mi@
xBVUh@
xBV]v@
xC}6XZ~
Xf(N1q
X>&GhDD
#Xi@Ej
#XIoDa
Xlf\xDg\
XwzHTwz
xz`K~z
+Y2;Mu
ya[zd+:' 
Y(_bQP
Y(_BRP
Y^hQ6cD}n
Yo)7c'
%YO#7k
y'#-{OcEY
YO*-	@J
yOK5",
](YOrG
YR79_P
Y{W]e3WMp3G
,y]ZI3;
.yZR/%
y~z`u~z
{z 4wzHr~z
z'afV?E@^
ZDlrl@F
ZDlzl@F
>zeAbN
zH`Gfl@
zH`Gfl@F^
zH`G~l@
zH`G{l@
zH`G{l@&
zH`G{l@&^
zH`G}l@
zH`Gll@F
zH`Gml@
zH`Gol@V
zH`Gtl@
zH`Gul@
zH`Gvl@
zH`Gwl@
zH`Gxl@
zH`Gxl@F^
zH`Gyl@
zH`Gzl@
zH`Gzl@6
{zh=wz(
zP&Crl
](_ZQP
\(_zRP
ZRw&[P?
ZR?Y8P
zSbUQs
"ZVD,j`
ZVD,j`
ZVD,j`vD
ZVD,z`
zX&Grl
zXNDrl
zz(^gz
zZpd8F
zZpd8FNF@n
zzp|@Fr4