Analysis Date2015-11-26 18:03:34
MD5efece12537c0b0e99bffb7e7f181544d
SHA167de61143212c46f87b1fdc90a401568e211facf

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0b9fcf1ba55050226d8a873cbdd4ff05 sha1: df47ccf1b616c2ff0e1a8bc33ec8cfaedd9cccb6 size: 443904
Section.rdata md5: 34f362c5ed2afb55e454bc8027966f3b sha1: 82d93f6b755414b6c1b9bfa465492bd7ea3b3542 size: 512
Section.data md5: ae00557a207da3e71c2c1598029dd39f sha1: ad9770f8c1f15784daa2717509e064b8b39110ce size: 512
Section.rsrc md5: 3c6f8d7fd40577d20eefa352fc2f4600 sha1: 669c48066e1d0cb895b7be1f2a9def0040d27876 size: 4608
Timestamp2015-01-06 00:36:08
PEhash67c596383d9522885f0c23972fa10a742ccf1dbc
IMPhash878f98c5971f97703f7d879a947bcd99
AVMcafeeW32/VirRansom.b
AVMcafeeW32/VirRansom.b
AVCA (E-Trust Ino)Win32/Nabucur.C
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVCA (E-Trust Ino)Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVPadvishno_virus
AVPadvishno_virus
AVCAT (quickheal)Ransom.VirLock.A2
AVRisingTrojan.Win32.PolyRansom.a
AVRisingTrojan.Win32.PolyRansom.a
AVCAT (quickheal)Ransom.VirLock.A2
AVSophosW32/VirRnsm-C
AVAd-AwareWin32.Virlock.Gen.1
AVSymantecW32.Ransomlock.AO!inf4
AVSymantecW32.Ransomlock.AO!inf4
AVClamAVno_virus
AVTrend MicroPE_VIRLOCK.D
AVTrend MicroPE_VIRLOCK.D
AVClamAVno_virus
AVTwisterW32.PolyRansom.b.brnk.mg
AVTwisterW32.PolyRansom.b.brnk.mg
AVAuthentiumW32/S-b256b4b7!Eldorado
AVVirusBlokAda (vba32)Virus.VirLock
AVVirusBlokAda (vba32)Virus.VirLock
AVDr. WebWin32.VirLock.10
AVZillya!Virus.Virlock.Win32.1
AVZillya!Virus.Virlock.Win32.1
AVDr. WebWin32.VirLock.10
AVAuthentiumW32/S-b256b4b7!Eldorado
AVEmsisoftWin32.Virlock.Gen.1
AVEmsisoftWin32.Virlock.Gen.1
AVAlwil (avast)MalOb-FE [Cryp]
AVEset (nod32)Win32/Virlock.D virus
AVEset (nod32)Win32/Virlock.D virus
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVFortinetW32/Zegost.ATDB!tr
AVFortinetW32/Zegost.ATDB!tr
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVFrisk (f-prot)no_virus
AVFrisk (f-prot)no_virus
AVAlwil (avast)MalOb-FE [Cryp]
AVF-SecureWin32.Virlock.Gen.1
AVF-SecureWin32.Virlock.Gen.1
AVBitDefenderWin32.Virlock.Gen.1
AVGrisoft (avg)Generic_r.EKW

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cuAwcMYY.bat
Creates FileC:\67de61143212c46f87b1fdc90a401568e211facf
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rEMoksEc.bat
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\cuAwcMYY.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\rEMoksEc.bat" "C:\malware.exe""
Creates Process"C:\67de61143212c46f87b1fdc90a401568e211facf"
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\67de61143212c46f87b1fdc90a401568e211facf

Creates FilePIPE\samr
Creates FileC:\67de61143212c46f87b1fdc90a401568e211facf
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\jokYcMYM.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\kmcwgwkw.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\jokYcMYM.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\67de61143212c46f87b1fdc90a401568e211facf"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\kmcwgwkw.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\67de61143212c46f87b1fdc90a401568e211facf"

Creates ProcessC:\67de61143212c46f87b1fdc90a401568e211facf

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\67de61143212c46f87b1fdc90a401568e211facf"

Creates ProcessC:\67de61143212c46f87b1fdc90a401568e211facf

Process
↳ "C:\67de61143212c46f87b1fdc90a401568e211facf"

Creates ProcessC:\67de61143212c46f87b1fdc90a401568e211facf

Process
↳ C:\67de61143212c46f87b1fdc90a401568e211facf

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\80ca_appcompat.txt
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 1804
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\67de61143212c46f87b1fdc90a401568e211facf

Creates FilePIPE\samr
Creates FileC:\67de61143212c46f87b1fdc90a401568e211facf
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\suEEkIAU.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\KgkgosAg.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\suEEkIAU.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\67de61143212c46f87b1fdc90a401568e211facf"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\KgkgosAg.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilepAck.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileJAgU.ico
Creates FilelGcg.ico
Creates FileC:\RCX2.tmp
Creates FileVOME.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
Creates FileC:\RCX5.tmp
Creates FilexgQM.ico
Creates FileNEgG.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileZMAo.exe
Creates FilelkAG.exe
Creates FileVYIq.exe
Creates FileC:\RCXF.tmp
Creates FileC:\RCX12.tmp
Creates FileBksY.exe
Creates FileNMkq.exe
Creates FilerQwS.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FileREEk.exe
Creates FileC:\RCXE.tmp
Creates FileBwko.ico
Creates FileRMYM.exe
Creates FileVsUO.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FilepUcC.exe
Creates FileFoYK.exe
Creates FiletWwg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates Filexwgk.exe
Creates FilexEIc.ico
Creates FilePIPE\wkssvc
Creates FileNiEo.ico
Creates FilelIcG.exe
Creates FilepgkI.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
Creates FileZUgc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileFSAY.ico
Creates FileC:\RCX1D.tmp
Creates FilexwgU.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileJUAw.exe
Creates FileFiAI.ico
Creates FileC:\RCX1B.tmp
Creates FileFYYA.ico
Creates FileC:\RCX7.tmp
Creates FiletuUw.ico
Creates FileC:\RCX17.tmp
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FileDsMM.exe
Creates FiledUoG.exe
Creates FiledkMu.exe
Creates FilehosE.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileBAok.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileNacw.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileDwYw.ico
Creates FileBwcA.ico
Creates Filepsco.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileBcgY.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileVuoA.ico
Creates FileFUou.exe
Creates FilelkAu.exe
Creates FileC:\RCX3.tmp
Creates FileC:\RCX20.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates Fileyscw.ico
Creates FileJCws.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1.tmp
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FiledAEi.exe
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates FileVWIk.ico
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\RCX21.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\RCX19.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\RCX1C.tmp
Creates FileRwQg.ico
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FiletYEm.exe
Creates FileC:\RCX1A.tmp
Creates FilepwAM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FilexIcg.ico
Creates FileC:\RCX8.tmp
Creates FileFKcY.ico
Creates Filedico.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileHMEy.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FiledKQU.ico
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FilehAkw.exe
Creates FileC:\RCX16.tmp
Creates FilexkwI.ico
Creates FileBgQU.exe
Creates FileC:\RCX4.tmp
Creates FileFAgy.exe
Creates FiletaUs.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFF7FC.tmp
Creates FilexIcc.ico
Creates FileNYkW.exe
Creates FileBoQw.exe
Creates Filelcwu.exe
Deletes FileNacw.ico
Deletes FileDwYw.ico
Deletes FilepAck.exe
Deletes Filepsco.exe
Deletes FileBwcA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileBcgY.ico
Deletes FileJAgU.ico
Deletes FilelGcg.ico
Deletes FileVOME.ico
Deletes FileVuoA.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileFUou.exe
Deletes FilelkAu.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FilexgQM.ico
Deletes FileNEgG.exe
Deletes FileZMAo.exe
Deletes FilelkAG.exe
Deletes FileVYIq.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes Fileyscw.ico
Deletes FileJCws.ico
Deletes FileBksY.exe
Deletes FileNMkq.exe
Deletes FilerQwS.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileREEk.exe
Deletes FiledAEi.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileBwko.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileRMYM.exe
Deletes FileVWIk.ico
Deletes FileVsUO.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FilepUcC.exe
Deletes FileFoYK.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileRwQg.ico
Deletes FiletWwg.ico
Deletes FiletYEm.exe
Deletes Filexwgk.exe
Deletes FilepwAM.ico
Deletes FilexEIc.ico
Deletes FileNiEo.ico
Deletes FilexIcg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FilelIcG.exe
Deletes FileFKcY.ico
Deletes Filedico.ico
Deletes FilepgkI.ico
Deletes FileHMEy.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileZUgc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileFSAY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FiledKQU.ico
Deletes FilexwgU.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileJUAw.exe
Deletes FileFiAI.ico
Deletes FilehAkw.exe
Deletes FileFYYA.ico
Deletes FilexkwI.ico
Deletes FiletuUw.ico
Deletes FileBgQU.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Deletes FiletaUs.ico
Deletes FiledUoG.exe
Deletes FileDsMM.exe
Deletes FileFAgy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FilexIcc.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileNYkW.exe
Deletes FiledkMu.exe
Deletes FilehosE.ico
Deletes FileBoQw.exe
Deletes Filelcwu.exe
Deletes FileBAok.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ Pid 1016

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1148

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\rEMoksEc.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\kmcwgwkw.bat" "C:\malware.exe""

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 1804

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\KgkgosAg.bat" "C:\malware.exe""

Network Details:

DNSgoogle.com
Type: A
216.58.192.78
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.192.78:80
Flows TCP192.168.1.1:1032 ➝ 216.58.192.78:80

Raw Pcap

Strings