Analysis Date2015-07-08 02:28:03
MD5fbc5ca918ed2df7d9fc4922ca42fc5b2
SHA141663b07bca2c40a47d904217701bcc6ceeea922

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1f04ca20cdf2ce9604ad24cdb46cc5ef sha1: cd52184254913732b25e75ff386982d583b37ea4 size: 452608
Section.rdata md5: 3485358aadcf22870690aed14f126020 sha1: 059400d594b07955d596cd1d4cbabfe13260e09d size: 512
Section.data md5: 2401e90c6b303eb0479d3dc9c8a09c05 sha1: 8fe87f260d3a856e2372ee36c294f1eaaba50abd size: 512
Section.rsrc md5: 44601472f02fc7259b0f7a7bd1816abe sha1: 6da233468c1a6202852853bab11b87634dcb9669 size: 4608
Timestamp2015-01-06 00:36:08
PEhasha09ae4e55d072589ead1f53605ad33bc4a1086cd
IMPhash59e9d64de2c3375dffd0d7a67fa9600d
AVRisingTrojan.Win32.PolyRansom.a
AVCA (E-Trust Ino)Win32/Nabucur.C
AVF-SecureWin32.Virlock.Gen.1
AVDr. WebWin32.VirLock.10
AVClamAVno_virus
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVBullGuardWin32.Virlock.Gen.1
AVPadvishno_virus
AVVirusBlokAda (vba32)Virus.VirLock
AVCAT (quickheal)Ransom.VirLock.A2
AVTrend MicroPE_VIRLOCK.D
AVKasperskyVirus.Win32.PolyRansom.b
AVZillya!Virus.Virlock.Win32.1
AVEmsisoftWin32.Virlock.Gen.1
AVIkarusVirus-Ransom.FileLocker
AVFrisk (f-prot)no_virus
AVAuthentiumW32/S-b256b4b7!Eldorado
AVMalwareBytesTrojan.VirLock
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVK7Trojan ( 0040f9f31 )
AVBitDefenderWin32.Virlock.Gen.1
AVFortinetW32/Zegost.ATDB!tr
AVSymantecno_virus
AVGrisoft (avg)Generic_r.EKW
AVEset (nod32)Win32/Virlock.G virus
AVAlwil (avast)MalOb-FE [Cryp]
AVAd-AwareWin32.Virlock.Gen.1
AVTwisterW32.PolyRansom.b.brnk.mg
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVMcafeeW32/VirRansom.b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cOIAsgIU.bat
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\41663b07bca2c40a47d904217701bcc6ceeea922
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\JcUwYEkU.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\cOIAsgIU.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\JcUwYEkU.bat" "C:\malware.exe""
Creates Process"C:\41663b07bca2c40a47d904217701bcc6ceeea922"
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\41663b07bca2c40a47d904217701bcc6ceeea922"

Creates ProcessC:\41663b07bca2c40a47d904217701bcc6ceeea922

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\41663b07bca2c40a47d904217701bcc6ceeea922"

Creates ProcessC:\41663b07bca2c40a47d904217701bcc6ceeea922

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\41663b07bca2c40a47d904217701bcc6ceeea922

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\YKIwckIY.bat
Creates FileC:\41663b07bca2c40a47d904217701bcc6ceeea922
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cOIIkAco.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\YKIwckIY.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\41663b07bca2c40a47d904217701bcc6ceeea922"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\cOIIkAco.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\cOIIkAco.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\cOIIkAco.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\41663b07bca2c40a47d904217701bcc6ceeea922

Creates FileC:\41663b07bca2c40a47d904217701bcc6ceeea922
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zAIUMcMQ.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\saAkcAcI.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\saAkcAcI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\zAIUMcMQ.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\41663b07bca2c40a47d904217701bcc6ceeea922"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\41663b07bca2c40a47d904217701bcc6ceeea922"

Creates ProcessC:\41663b07bca2c40a47d904217701bcc6ceeea922

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\41663b07bca2c40a47d904217701bcc6ceeea922

Creates FileC:\41663b07bca2c40a47d904217701bcc6ceeea922
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\OgoIwcow.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aOYUMQMA.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\OgoIwcow.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\aOYUMQMA.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\41663b07bca2c40a47d904217701bcc6ceeea922"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\41663b07bca2c40a47d904217701bcc6ceeea922"

Creates ProcessC:\41663b07bca2c40a47d904217701bcc6ceeea922

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileKAIm.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileegQk.ico
Creates Fileuwoa.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileKusE.ico
Creates FileC:\RCX5.tmp
Creates FileMwsE.exe
Creates FileC:\RCX3.tmp
Creates FileyAso.exe
Creates FileC:\RCX10.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileC:\RCXF.tmp
Creates FileSCkE.ico
Creates FileC:\RCX12.tmp
Creates FileaEkE.exe
Creates FileywAa.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FilegUQy.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileaiwM.ico
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileGUQY.ico
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FilemYsM.exe
Creates FileKGQM.ico
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX6.tmp
Creates FileGeIM.ico
Creates FileCsse.exe
Creates FileC:\RCXE.tmp
Creates FileC:\RCXA.tmp
Creates FileCsEe.exe
Creates FilegkEU.ico
Creates FileuUcw.ico
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileKYUK.exe
Creates FileuUMU.exe
Creates Filemogk.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileGQAc.ico
Creates FileGsgs.ico
Creates FileC:\RCX19.tmp
Creates FileGUIs.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileuwAk.exe
Creates FileKMgy.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\RCX9.tmp
Creates FileqUcW.exe
Creates FileSgEC.exe
Creates FileC:\RCX1A.tmp
Creates FileKyAQ.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileaUcK.exe
Creates FileyOso.ico
Creates FileCSok.ico
Creates FileewcY.exe
Creates FileC:\RCX8.tmp
Creates FilequgM.ico
Creates FileOEUk.ico
Creates FileCWwQ.ico
Creates FileOuco.ico
Creates FileamQc.ico
Creates FileikAE.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FilemMIE.exe
Creates FilesEgE.exe
Creates Fileuocs.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates Fileaacg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileakkS.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileiowW.exe
Creates FileecEg.exe
Creates FileSaYE.ico
Creates FileC:\RCX16.tmp
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileiWwE.ico
Creates Fileaosy.exe
Creates FileC:\RCX17.tmp
Creates FileqwYE.ico
Creates FileC:\RCX4.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileiUoa.exe
Creates FileycEM.ico
Creates FileASwo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileKAIm.exe
Deletes FileegQk.ico
Deletes Fileuwoa.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileKusE.ico
Deletes FileMwsE.exe
Deletes FileyAso.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileSCkE.ico
Deletes FileaEkE.exe
Deletes FileywAa.exe
Deletes FilegUQy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileaiwM.ico
Deletes FileGUQY.ico
Deletes FilemYsM.exe
Deletes FileKGQM.ico
Deletes FileGeIM.ico
Deletes FileCsse.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileCsEe.exe
Deletes FilegkEU.ico
Deletes FileuUcw.ico
Deletes FileKYUK.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileuUMU.exe
Deletes Filemogk.exe
Deletes FileGsgs.ico
Deletes FileGQAc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileGUIs.exe
Deletes FileuwAk.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileqUcW.exe
Deletes FileKMgy.exe
Deletes FileSgEC.exe
Deletes FileKyAQ.ico
Deletes FileaUcK.exe
Deletes FileyOso.ico
Deletes FileCSok.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FilequgM.ico
Deletes FileOEUk.ico
Deletes FileOuco.ico
Deletes FileamQc.ico
Deletes FileikAE.ico
Deletes FilesEgE.exe
Deletes FilemMIE.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes Fileuocs.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes Fileaacg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileakkS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileiowW.exe
Deletes FileecEg.exe
Deletes FileSaYE.ico
Deletes FileiWwE.ico
Deletes Fileaosy.exe
Deletes FileqwYE.ico
Deletes FileiUoa.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileycEM.ico
Deletes FileASwo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ Pid 1020

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1868

Process
↳ Pid 1172

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\JcUwYEkU.bat" "C:\malware.exe""

Process
↳ C:\41663b07bca2c40a47d904217701bcc6ceeea922

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\aOYUMQMA.bat" "C:\malware.exe""

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\zAIUMcMQ.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network Details:

DNSgoogle.com
Type: A
216.58.216.78
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.216.78:80
Flows TCP192.168.1.1:1032 ➝ 216.58.216.78:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....


Strings