Analysis Date2016-01-28 04:23:47
MD5b0da88c15a13a0ad4187d516e4954cbc
SHA13adff9e44954140b8c6ff4092e121b4bab1b38d0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 121f9e1238a7c9935a1c174271ffb6a2 sha1: 0b7caf7f34bc929b3e1d55e7e3b4403b38b008bf size: 449536
Section.rdata md5: 0130fe2c6ae60664539119cfdd072856 sha1: 066bd68bd5514159f06cc79a5f3e8c89a37c97e9 size: 512
Section.data md5: 0cf76ba7c036e527ea6937a304f6ec20 sha1: 4c6ca025fbcef0270fbb1e9f422f6bff0291a37e size: 512
Section.rsrc md5: ebe96038973b8e910881343a60ff4375 sha1: ef2dbaba84e708d5c41d6f65af32150eb5001737 size: 4608
Timestamp2015-01-06 00:36:08
PEhash989a4b27a479790013f557a07741f760e1a12d7f
IMPhashe5433b1058692e3c04c5d6930baeddc1
AVRisingTrojan.Win32.PolyRansom.a
AVMcafeeW32/VirRansom.b
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVTwisterW32.PolyRansom.b.brnk.mg
AVAd-AwareWin32.Virlock.Gen.1
AVAlwil (avast)MalOb-FE [Cryp]
AVEset (nod32)Win32/Virlock.D virus
AVGrisoft (avg)Generic_r.EKW
AVSymantecW32.Ransomlock.AO!inf4
AVFortinetW32/Zegost.ATDB!tr
AVBitDefenderWin32.Virlock.Gen.1
AVK7Trojan ( 0040f9f31 )
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVMalwareBytesTrojan.VirLock
AVAuthentiumW32/S-b256b4b7!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusVirus.PolyRansom
AVEmsisoftWin32.Virlock.Gen.1
AVZillya!Virus.Virlock.Win32.1
AVKasperskyVirus.Win32.PolyRansom.b
AVTrend MicroPE_VIRLOCK.D
AVCAT (quickheal)Ransom.VirLock.A2
AVVirusBlokAda (vba32)Virus.VirLock
AVBullGuardWin32.Virlock.Gen.1
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVClamAVNo Virus
AVDr. WebWin32.VirLock.10
AVF-SecureWin32.Virlock.Gen.1
AVCA (E-Trust Ino)Win32/Nabucur.C

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\3adff9e44954140b8c6ff4092e121b4bab1b38d0
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rIoAsokg.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qckQEwcg.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\rIoAsokg.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\qckQEwcg.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Process"C:\3adff9e44954140b8c6ff4092e121b4bab1b38d0"
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\zmgEIIAU.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\3adff9e44954140b8c6ff4092e121b4bab1b38d0"

Creates ProcessC:\3adff9e44954140b8c6ff4092e121b4bab1b38d0

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\3adff9e44954140b8c6ff4092e121b4bab1b38d0

Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zmgEIIAU.bat
Creates FileC:\3adff9e44954140b8c6ff4092e121b4bab1b38d0
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NsIYsYEY.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\NsIYsYEY.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\zmgEIIAU.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\3adff9e44954140b8c6ff4092e121b4bab1b38d0"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\3adff9e44954140b8c6ff4092e121b4bab1b38d0"

Creates ProcessC:\3adff9e44954140b8c6ff4092e121b4bab1b38d0

Process
↳ C:\3adff9e44954140b8c6ff4092e121b4bab1b38d0

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\8a58_appcompat.txt
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\3adff9e44954140b8c6ff4092e121b4bab1b38d0
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WAocEgUE.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\WAocEgUE.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 1780
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\3adff9e44954140b8c6ff4092e121b4bab1b38d0"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ C:\3adff9e44954140b8c6ff4092e121b4bab1b38d0

Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aGkswsMQ.bat
Creates FileC:\3adff9e44954140b8c6ff4092e121b4bab1b38d0
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ViEAoIUI.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\aGkswsMQ.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\3adff9e44954140b8c6ff4092e121b4bab1b38d0"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\ViEAoIUI.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\3adff9e44954140b8c6ff4092e121b4bab1b38d0"

Creates ProcessC:\3adff9e44954140b8c6ff4092e121b4bab1b38d0

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FilexAMY.ico
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FilexkcQ.exe
Creates FileC:\RCX2.tmp
Creates FilelSMc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileFQcy.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
Creates FilexIoI.ico
Creates FileC:\RCX5.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF2934.tmp
Creates FilenewA.ico
Creates FiledAsO.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FilehoYo.exe
Creates FileC:\RCXF.tmp
Creates FiletqkI.ico
Creates FileC:\RCX12.tmp
Creates FileTQEo.exe
Creates FileRsMQ.exe
Creates FilepMkM.ico
Creates FileNIky.exe
Creates FileJcUs.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FileRUsE.ico
Creates FileZAwI.exe
Creates FileC:\RCXE.tmp
Creates Filexggc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileRAsM.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FileNAkO.exe
Creates FilefAgw.ico
Creates FilePIPE\wkssvc
Creates Filetksi.exe
Creates FiledGok.ico
Creates FileRcYY.ico
Creates FileZgQg.ico
Creates FilePQMu.exe
Creates FilebQIY.exe
Creates FilexAgE.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileC:\RCX1D.tmp
Creates FileJAYY.exe
Creates FiletAcQ.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileNgMu.exe
Creates FileC:\RCX1B.tmp
Creates FileZssO.exe
Creates FileC:\RCX7.tmp
Creates FileC:\RCX17.tmp
Creates FiledkgG.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FileVWQo.ico
Creates FileTEUI.ico
Creates FileNEkW.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileNCEc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileBIgQ.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileJwgY.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileBkoI.exe
Creates FileC:\RCX3.tmp
Creates FileC:\RCX20.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FilepIEM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates Filedsoa.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileNAsi.exe
Creates FilepQcE.ico
Creates FilehQkI.ico
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1.tmp
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FiledKsM.ico
Creates FileC:\RCXA.tmp
Creates Filedssu.exe
Creates FileRcwE.exe
Creates FilePUMW.exe
Creates FileC:\RCX1F.tmp
Creates FileZQQs.ico
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\RCX21.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\RCX19.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\RCX1C.tmp
Creates FileDWso.ico
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FilepAAk.ico
Creates FileC:\RCX1A.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileBUUM.ico
Creates FileC:\RCX8.tmp
Creates FilerwEI.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileRMkM.exe
Creates FileFiAo.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileNkMy.exe
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FiletKcg.ico
Creates FileFKMI.ico
Creates FiletGUs.ico
Creates FileZcIA.exe
Creates FileC:\RCX16.tmp
Creates FileNAAy.exe
Creates FileC:\RCX4.tmp
Creates FilenswQ.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileZssk.exe
Creates FileVqUc.ico
Creates FileZMcc.ico
Creates FiledGYo.ico
Deletes FilexAMY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FilexkcQ.exe
Deletes FileBIgQ.exe
Deletes FilelSMc.ico
Deletes FileJwgY.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileBkoI.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileFQcy.exe
Deletes FilexIoI.ico
Deletes FilenewA.ico
Deletes FiledAsO.exe
Deletes FilehoYo.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FiletqkI.ico
Deletes FilepIEM.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes Filedsoa.exe
Deletes FileNAsi.exe
Deletes FileTQEo.exe
Deletes FilepQcE.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileRsMQ.exe
Deletes FilehQkI.ico
Deletes FilepMkM.ico
Deletes FileNIky.exe
Deletes FileJcUs.exe
Deletes FileRUsE.ico
Deletes FiledKsM.ico
Deletes FileZAwI.exe
Deletes Filedssu.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes Filexggc.ico
Deletes FilePUMW.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileRcwE.exe
Deletes FileZQQs.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileRAsM.exe
Deletes FileDWso.ico
Deletes FilepAAk.ico
Deletes FileNAkO.exe
Deletes FilefAgw.ico
Deletes Filetksi.exe
Deletes FiledGok.ico
Deletes FileBUUM.ico
Deletes FileRcYY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FilePQMu.exe
Deletes FileZgQg.ico
Deletes FilebQIY.exe
Deletes FilexAgE.ico
Deletes FilerwEI.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileRMkM.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileFiAo.ico
Deletes FileNkMy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileJAYY.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FiletAcQ.exe
Deletes FiletKcg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileFKMI.ico
Deletes FiletGUs.ico
Deletes FileZcIA.exe
Deletes FileNgMu.exe
Deletes FileZssO.exe
Deletes FiledkgG.exe
Deletes FileNAAy.exe
Deletes FilenswQ.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Deletes FileZssk.exe
Deletes FileVqUc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileVWQo.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileTEUI.ico
Deletes FileZMcc.ico
Deletes FileNEkW.exe
Deletes FiledGYo.ico
Deletes FileNCEc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ Pid 1024

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1876

Process
↳ Pid 1172

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\qckQEwcg.bat" "C:\malware.exe""

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 1780

Process
↳ "C:\3adff9e44954140b8c6ff4092e121b4bab1b38d0"

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\ViEAoIUI.bat" "C:\malware.exe""

Network Details:

DNSgoogle.com
Type: A
216.58.219.142
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1032 ➝ 216.58.219.142:80

Raw Pcap

Strings