Analysis Date2015-11-25 09:42:50
MD554feb84aa7d9ac1823b91273796e2049
SHA167c1ff687b60639cd736347668784745b89a93b9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 24f346a4dac48f8cbcf7b2b5077c11ac sha1: 05f8191cf611421c98fc978ba4e04144917a9811 size: 443904
Section.rdata md5: d871adef8cff7262d3ad564feed0908f sha1: c4b914b33755b8459cf8c3cc4883b7c46e3565e8 size: 512
Section.data md5: defbf000e058ef3fb444a510444db615 sha1: 05a12b80d674139c74516e7fa6ab2e5346e90ad1 size: 512
Section.rsrc md5: 2adcacaa5dc7bac30aa2be4c91caea99 sha1: ef1f2b5a427942af8467712de1a752e457a5415b size: 4608
Timestamp2015-01-06 00:36:08
PEhash67c596383d9522885f0c23972fa10a742ccf1dbc
IMPhash3b8345a9b7ea2d57763f3a18f098f8e9
AVMalwareBytesTrojan.VirLock
AVPadvishno_virus
AVIkarusVirus-Ransom.FileLocker
AVMalwareBytesTrojan.VirLock
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVFortinetW32/Zegost.ATDB!tr
AVGrisoft (avg)Generic_r.EKW
AVK7Trojan ( 0040f9f31 )
AVKasperskyVirus.Win32.PolyRansom.b
AVMcafeeW32/VirRansom.b
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVF-SecureWin32.Virlock.Gen.1
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVEset (nod32)Win32/Virlock.D virus
AVEset (nod32)Win32/Virlock.D virus
AVFrisk (f-prot)no_virus
AVGrisoft (avg)Generic_r.EKW
AVFortinetW32/Zegost.ATDB!tr
AVIkarusVirus-Ransom.FileLocker
AVK7Trojan ( 0040f9f31 )
AVKasperskyVirus.Win32.PolyRansom.b
AVF-SecureWin32.Virlock.Gen.1
AVMcafeeW32/VirRansom.b
AVAd-AwareWin32.Virlock.Gen.1
AVBullGuardWin32.Virlock.Gen.1
AVBullGuardWin32.Virlock.Gen.1
AVAlwil (avast)MalOb-FE [Cryp]
AVAuthentiumW32/S-b256b4b7!Eldorado
AVCA (E-Trust Ino)Win32/Nabucur.C
AVCA (E-Trust Ino)Win32/Nabucur.C
AVAuthentiumW32/S-b256b4b7!Eldorado
AVAlwil (avast)MalOb-FE [Cryp]
AVCAT (quickheal)Ransom.VirLock.A2
AVCAT (quickheal)Ransom.VirLock.A2
AVAd-AwareWin32.Virlock.Gen.1
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVClamAVWin.Trojan.Virlock-9116
AVClamAVWin.Trojan.Virlock-9116
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVFrisk (f-prot)no_virus
AVDr. WebWin32.VirLock.10
AVDr. WebWin32.VirLock.10
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVBitDefenderWin32.Virlock.Gen.1
AVEmsisoftWin32.Virlock.Gen.1
AVEmsisoftWin32.Virlock.Gen.1
AVBitDefenderWin32.Virlock.Gen.1
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVPadvishno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\67c1ff687b60639cd736347668784745b89a93b9
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PMocsQYs.bat
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\saoogQwA.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\PMocsQYs.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\saoogQwA.bat" "C:\malware.exe""
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\67c1ff687b60639cd736347668784745b89a93b9"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

Process
↳ "C:\67c1ff687b60639cd736347668784745b89a93b9"

Creates ProcessC:\67c1ff687b60639cd736347668784745b89a93b9

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\67c1ff687b60639cd736347668784745b89a93b9

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\IkQYAkcg.bat
Creates FileC:\67c1ff687b60639cd736347668784745b89a93b9
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\figAYwAc.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\figAYwAc.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\67c1ff687b60639cd736347668784745b89a93b9"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\IkQYAkcg.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\saoogQwA.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\saoogQwA.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\67c1ff687b60639cd736347668784745b89a93b9"

Creates ProcessC:\67c1ff687b60639cd736347668784745b89a93b9

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\IkQYAkcg.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\IkQYAkcg.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\67c1ff687b60639cd736347668784745b89a93b9

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\7f79_appcompat.txt

Process
↳ C:\67c1ff687b60639cd736347668784745b89a93b9

Creates FileC:\67c1ff687b60639cd736347668784745b89a93b9
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ngAQQwcY.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cWYUcggI.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\cWYUcggI.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\ngAQQwcY.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\67c1ff687b60639cd736347668784745b89a93b9"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\67c1ff687b60639cd736347668784745b89a93b9"

Creates ProcessC:\67c1ff687b60639cd736347668784745b89a93b9

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileAAME.exe
Creates FilekIYs.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileYeQQ.ico
Creates FilekYUo.ico
Creates FileEEUi.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileUyQI.ico
Creates FileMGEQ.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileKIIw.exe
Creates FileokgE.exe
Creates FileUwcu.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileYIgc.exe
Creates FileYwkY.exe
Creates FileC:\RCX5.tmp
Creates FilewwIg.exe
Creates FileC:\RCX3.tmp
Creates FilegMwM.ico
Creates FileC:\RCX10.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileYcEo.ico
Creates FileQwEU.ico
Creates FilekCkY.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileC:\RCXF.tmp
Creates FileeioQ.ico
Creates FileC:\RCX12.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileQowo.ico
Creates FileIEIw.ico
Creates FileksMw.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileAgQY.exe
Creates FilewEUg.ico
Creates FileWYAE.exe
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileEAsu.exe
Creates FileC:\RCX6.tmp
Creates FileYQEI.ico
Creates FileC:\RCXE.tmp
Creates FileC:\RCXA.tmp
Creates FileUKQc.ico
Creates FileC:\RCX13.tmp
Creates FilegsAk.exe
Creates FileC:\RCX11.tmp
Creates Filesiwo.ico
Creates FileIkgI.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FilegwEo.exe
Creates FileC:\RCXC.tmp
Creates FileC:\RCX19.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileAgkk.exe
Creates FileC:\RCX1C.tmp
Creates FilecQMC.exe
Creates Fileccca.exe
Creates FileQksU.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\RCX9.tmp
Creates FileykYi.exe
Creates FileC:\RCX1A.tmp
Creates FileWwkA.exe
Creates FileGqQo.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileOwAA.ico
Creates FileEewA.ico
Creates FileMeME.ico
Creates FileC:\RCX8.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileEQci.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FilewYIk.ico
Creates FileC:\RCX1D.tmp
Creates FileiEQU.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileMYMK.exe
Creates FileKsEw.exe
Creates FilekEMI.exe
Creates FileC:\RCX16.tmp
Creates FileC:\RCX1B.tmp
Creates FilegEIQ.exe
Creates FileC:\RCX7.tmp
Creates FileoEgg.exe
Creates FileC:\RCX17.tmp
Creates FileQMkw.exe
Creates FileC:\RCX4.tmp
Creates FilesEsq.exe
Creates FilecSwQ.ico
Creates FileIAks.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates Filecqww.ico
Creates FileIYQk.exe
Creates FilekeIo.ico
Creates FileQckw.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates Filekukk.ico
Deletes FileAAME.exe
Deletes FilekIYs.ico
Deletes FileYeQQ.ico
Deletes FilekYUo.ico
Deletes FileEEUi.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileUyQI.ico
Deletes FileMGEQ.ico
Deletes FileKIIw.exe
Deletes FileokgE.exe
Deletes FileUwcu.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileYIgc.exe
Deletes FileYwkY.exe
Deletes FilewwIg.exe
Deletes FilegMwM.ico
Deletes FileYcEo.ico
Deletes FileQwEU.ico
Deletes FilekCkY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileeioQ.ico
Deletes FileQowo.ico
Deletes FileIEIw.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FileksMw.exe
Deletes FileAgQY.exe
Deletes FilewEUg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileWYAE.exe
Deletes FileEAsu.exe
Deletes FileYQEI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileUKQc.ico
Deletes FilegsAk.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileIkgI.ico
Deletes Filesiwo.ico
Deletes FilegwEo.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileAgkk.exe
Deletes FilecQMC.exe
Deletes Fileccca.exe
Deletes FileQksU.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileykYi.exe
Deletes FileWwkA.exe
Deletes FileGqQo.ico
Deletes FileOwAA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileEewA.ico
Deletes FileMeME.ico
Deletes FileEQci.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FilewYIk.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileiEQU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileMYMK.exe
Deletes FileKsEw.exe
Deletes FilekEMI.exe
Deletes FilegEIQ.exe
Deletes FileoEgg.exe
Deletes FileQMkw.exe
Deletes FilesEsq.exe
Deletes FilecSwQ.ico
Deletes FileIAks.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes Filecqww.ico
Deletes FileIYQk.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FilekeIo.ico
Deletes FileQckw.ico
Deletes Filekukk.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1876

Process
↳ Pid 1168

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\ngAQQwcY.bat" "C:\malware.exe""

Network Details:

DNSgoogle.com
Type: A
216.58.192.78
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.192.78:80
Flows TCP192.168.1.1:1032 ➝ 216.58.192.78:80

Raw Pcap

Strings