Analysis Date2015-05-25 06:45:31
MD5394108758a5b9ffd96cd9279971b6833
SHA1680d1818e3766ebf054080c7584704df0687e101

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c15e664b3cbfda67f136deb645b6cd64 sha1: 4a9b2cf9e49366653139cb9420c5f728e0e67bc6 size: 449536
Section.rdata md5: 0441178c186805ce498fecfa019c0a75 sha1: e2d9c547d1e5eaa726de7eed050478eba03298e7 size: 512
Section.data md5: 6f7902f15bac552c77362c3398b1837b sha1: 4376645f8b58441b65affc0610ba6f60650dcfc9 size: 512
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp2015-01-06 00:36:08
PEhashea93e82025a16c894213feaaa725a5525bedaf06
IMPhash3e6358a57f2351ffa2105f801091c07e

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\680d1818e3766ebf054080c7584704df0687e101
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\esYccQIA.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MCwUockQ.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\esYccQIA.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\MCwUockQ.bat" "C:\malware.exe""
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\680d1818e3766ebf054080c7584704df0687e101"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\680d1818e3766ebf054080c7584704df0687e101

Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vOsIYEAU.bat
Creates FileC:\680d1818e3766ebf054080c7584704df0687e101
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PccQUEcM.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\PccQUEcM.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\vOsIYEAU.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\680d1818e3766ebf054080c7584704df0687e101"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\680d1818e3766ebf054080c7584704df0687e101

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zmQwogYo.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UYEgkUIc.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\680d1818e3766ebf054080c7584704df0687e101
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\zmQwogYo.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\680d1818e3766ebf054080c7584704df0687e101"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\UYEgkUIc.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\malware.exe

Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\EOokUQQw.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DGEUoQsg.bat
Creates FileC:\680d1818e3766ebf054080c7584704df0687e101
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\DGEUoQsg.bat
Creates Process"C:\680d1818e3766ebf054080c7584704df0687e101"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\EOokUQQw.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\vOsIYEAU.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\vOsIYEAU.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\680d1818e3766ebf054080c7584704df0687e101"

Creates ProcessC:\680d1818e3766ebf054080c7584704df0687e101

Process
↳ C:\680d1818e3766ebf054080c7584704df0687e101

Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\680d1818e3766ebf054080c7584704df0687e101
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\VyEUQcck.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\VyEUQcck.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\680d1818e3766ebf054080c7584704df0687e101"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\680d1818e3766ebf054080c7584704df0687e101"

Creates ProcessC:\680d1818e3766ebf054080c7584704df0687e101

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\680d1818e3766ebf054080c7584704df0687e101"

Creates ProcessC:\680d1818e3766ebf054080c7584704df0687e101

Process
↳ "C:\680d1818e3766ebf054080c7584704df0687e101"

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FiledsAK.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileLkAA.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\RCX14.tmp
Creates FilelMEQ.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileVeAA.ico
Creates FileVwQm.exe
Creates FileC:\RCX5.tmp
Creates FileBAgw.exe
Creates FilehaAs.ico
Creates FileC:\RCX3.tmp
Creates FileIYcw.ico
Creates FileC:\RCX10.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileVEYw.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileC:\RCXF.tmp
Creates Filedskc.exe
Creates FileC:\RCX12.tmp
Creates FileZQkQ.ico
Creates FileskgA.ico
Creates FileTEEg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileC:\RCXD.tmp
Creates FileDEAO.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilexYgU.ico
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX6.tmp
Creates FileC:\RCXE.tmp
Creates FileC:\RCXA.tmp
Creates FilevUom.exe
Creates FileFCUk.ico
Creates FileZcEQ.exe
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FilepQIE.ico
Creates FileC:\RCXC.tmp
Creates FileloEy.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileVaoo.ico
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\RCX9.tmp
Creates FilejWMQ.ico
Creates FiledQkK.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileZkIs.exe
Creates FilexsIM.exe
Creates FileVsgW.exe
Creates FileC:\RCX8.tmp
Creates FilexoAS.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FilevoUI.exe
Creates FilePQcc.exe
Creates FilexYcY.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileRYAc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FilezwsY.ico
Creates FiledwwG.exe
Creates FileVwkS.exe
Creates FileVCMo.ico
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates Filexwwk.ico
Creates FileC:\RCX7.tmp
Creates FileIakM.ico
Creates FiletYEa.exe
Creates FilehQEK.exe
Creates FileC:\RCX4.tmp
Creates FilelCsg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FiledsAK.exe
Deletes FileLkAA.ico
Deletes FilejWMQ.ico
Deletes FiledQkK.exe
Deletes FilelMEQ.ico
Deletes FileZkIs.exe
Deletes FileVeAA.ico
Deletes FileVwQm.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileVsgW.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileBAgw.exe
Deletes FilehaAs.ico
Deletes FileIYcw.ico
Deletes FilexoAS.exe
Deletes FilevoUI.exe
Deletes FilexYcY.exe
Deletes FilePQcc.exe
Deletes FileVEYw.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes Filedskc.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileRYAc.ico
Deletes FilezwsY.ico
Deletes FileTEEg.ico
Deletes FileskgA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FiledwwG.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileVwkS.exe
Deletes FileVCMo.ico
Deletes Filexwwk.ico
Deletes FileDEAO.exe
Deletes FileIakM.ico
Deletes FilexYgU.ico
Deletes FiletYEa.exe
Deletes FilehQEK.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileFCUk.ico
Deletes FilevUom.exe
Deletes FileZcEQ.exe
Deletes FilelCsg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FilepQIE.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileloEy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileVaoo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\MCwUockQ.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\UYEgkUIc.bat" "C:\malware.exe""

Process
↳ "C:\680d1818e3766ebf054080c7584704df0687e101"

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\EOokUQQw.bat" "C:\malware.exe""

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ Pid 1020

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1140

Network Details:

DNSgoogle.com
Type: A
216.58.219.174
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.219.174:80
Flows TCP192.168.1.1:1032 ➝ 216.58.219.174:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....


Strings
..
.
H.
.
q
.
..,..
.
da.1

*$)0\/
0}3%??
0.-^45G
0.-^4e@
_09Oa4l
##[0d"
0d"VEz
0Dvz0V
0ev71t
0F,kxX
0F,q4W
0& ge%A
0>+kAF
%@_0MU,
0__\r[Q"!l
0T\}6V
0TE	'R/k
0U6bT`
0UGD`C+q4U
0v.jPXzf
0WYZ3lT
`0YsNZ
0Z-j|Pse
0	zS#F
1}0t]/
12N>32
14(8cH
)_1ggT
`1hkKs
1@`Ke,	
]1 L>[2
1QCIc[
}1"#@u
1wSZqz
(1x=@S
1&ycie
20)h4*
2#cM@!{?
2fg@4?
2h*s-i
2#IM@!{?
2ng@4?
2NkeMw^
2ns^jD
:2NzFA
2#qM@!{?
2to7n_
}2"#@u
2Vg@4?
@-2=xH=
$2=xH=
390	:^
	39q(r
,3e*G/<
.3&gWYu'
\3y5D 
-"#3z 
4(2u|3/
&4!5"\$
*-^45F
4;8;Y\
4bhY!h'
4bhY!h'sT
4#bM@!
/-^4%D
(-^4-D
(4[D j
4DZ=&T
[4e_hgo
(-^4MF
`4`	>N
4p_F@u
4@)RsfEh
?[4rYJ
)^4TOq
4}tVC8
}4:#@u
.^4U7W
*-^4uF
*^4UGB9A@
,^4UmS:VC
{4Z{Uh
54dthB
54We@t
5=F`XvH
5i]*l-@
5pn,wg
6` dxu5
6TUp[PC
6\/^UA.^4
6U?Mnh@
=7A ' 
7	C-^4
[7EqS#~
7<H]y(
7?rwu@
7/un }m
8]c;n^sc
&8[euD
)8-q^4
(-^8Ul
8]!V%u
@8{X`?4
=9D:^M
9HkR cb
9IxqD\
9q<@]$F
9QJP}#
9TaO?$Z
*9ToO9$Z
9v)Oysu*
9W/VxR
-a1Cjs
,a1+ms
A1q_CCw
A1q_C@w
)a1S3q[
*a1sH#\#,d
(a1SI"\
)a1s##K
)a1S+q'9Vg
+a1Ssq.IPg
.a1+Zs;
a3Ip{Y
A47	,7
,a4}9~
.a4cD[
+a4CHs
`A	'4k
(a4S[q`
.a4S[qiqWg
/a4+us
/a5Kt#
)a5S;qd
A7(f)u
A7YFY+
`>aD1Yu
a\E)tH
A^G.H&;
AI?i	=wd
Aj}mBj
-AjW45
a K6ZG1@e
alx7|P
=AMSq5
'AnX&9H
aOD)i|<
ao`Ga[[Ph
]AO,L]"
A_Pd/[
A-q4U{ 
A|]srd
A;>T6I
AUa(MU
A@w_D<
^AWe]Df
AwZM}q]qH
ayKe^vJ
AZEEx)%
#,,`b{=
B#$0`.
=%B1&R
]|b})	6
*,B9!a
B9pT"C6
b9TcO?$Z
=*BELI
<BFVsS
b].gP5
BH+>Avp7
B">ht=
..B=]$K
b?kdKx
`bL87`
*^B?<N
BQU>W 
bR00O)W+x
`Br}'h
.Bt?S?1
.Bu!nx
BVgyU{ 
![%b"<w
-bx?SWO
C0oY|t
c1'c5x'
/)c4J-
c~+Acv=Af/]
`CbXU}
cfz\,,
CgO0le@D6
CJrQO|`
|C-j@sV`
Cn^Via
Cp.C1W
cp$NvN
`cPXJ&
`cpXxT
C.q4eF#4
%CQSq[APg
/c+T"(_
c"V_ca
?+CVh=
C^W"gZHf
{D^38G=
D 62I!
@.data
""D?avW
dB,Us 
dc{<~ 
D<gwvp
"dI!S"
dKOLbf
D<LI8:_A
D^N[m<
d$OQG)
d,%P4<
(]:Dr+>
\ds4^C
d%S"B`
d,<ye-
d)Y|ki
:+E3^W
E4?#@T
E-)4VfIi}
e.53El
E=60t_\
*e] 8p]
E9GT|f
e+a*URv"0
Ec@#Vv
E,EvyuW
)~(Ef1
eF:qB0
Eh#}m=l
Ej }m$
]@eSnK
e\`tf'
EtT CD=
eu4h]3c
-EUy]V
+'~.E+w
E&wm})
EW/wD&9
f@0?C@
f@7_v@4
`F8I$p
F9TeO?$Zg<
F!a]L,w_
fbc,"h
|\fbg`
:FB#JD
%F}Eq_/
{Ff0	C
\<Fgf1
fIe.4&
f\l<3<
f@?Lf46
f@?Lf5G1
FR"&O(a
f<$=SENy
fU"{jD`
FvIoxN
FWWtAr=
FWWtqr=
+<*,fX
fX~,mN
fyI#x'
G4[YVb
-g7]@}
g(70sQ
g/79 U
g8<9Xt
g}8[uf
=gER\7
GetCapture
GetCaretBlinkTime
GetConsoleWindow
GHZBsS^2
G^Ik#V
G'()jt[
G~m]Pf
gTRtN\
guyR#U
gV[qQYSg
gY6m%#+O
H#08 ~;y
h=2=yH=
`*H>'8
h9W<,r
HBx@9G
HcA8JSSP
he!1Gf
heQ""y
hF=[9Ez
hjt=s4
H.?m=M
H<N26Og
%hn_IV
H>;*,o
hR"AX~g
`(hR:t
HSa`m_/UW
!-HTu+x<
hUs6UC
Hu~vap
_hWs$%
HX+$=W
h%,y|n
hyy)S*
I>5}/Q
`;I#60
`{I*|a
IafhD;]-
i#c}aW
IDwsC 
I?{I'ku
i-L8I\
^Il9?K
%I:?MlF
'.io"+!I
IsBadStringPtrA
iVZo:JHX
iWs.-msb%P
!_IYzI
.$&J!#
+j4Y|f
J$/8.{g
j;AK\R
J!"bK.
[~J#@c
 j+c g
jc`W-JB
(j!]@d
~\*ji>
`j"i(1
<jI,kO
|j}I[U3
+jjY'c
}j$}m$
j=#MC5
/jM]Lb
~J$N.I
 J=oLnp
`JP_6~
JP !FG'*Kg
j%r~=>
JU,u-h
j.&W#3
}J^	Y\
~jyPUE
'&*j.yS
K0f8pE
?K3(.T((d
k#4zyL
.k6Yno
*k|]8d
KC\2/dD
'+kc;(d
Ke\	2[
kernel32.dll
K!#gK.
K[!IVTpZ`
KjIMqA[
!-kkXfa
&(kNXid
=$(kol0o
(ko]Qa
)kOY5a
ks~VWg
/++kt[@b
k(^v=d 
(kW[Oa
L0GY/.
l2=}H=
[LAN,0rt
L,Hdr'
L*k4[;e
L,NsNt
l\(oq?,5
`LPS%|
l(pVCr
/lQ+E$
L;Qml|
l#R$ng
L-R*Y>
+LUEiT
luO|f#}]n
%lxNhCA
%	@l z
	~^{,M
<#~M@1
M=-3O=
M}5EAa5QA
%-MAT"
mb%OHM
Mds`M=
M)g0En
M@#iM@
Mj$}m,
Mk7ZKf
MK8gAqDd
m`k:BC
M@#lM@
mn }m$
M^oya?b
MPOy?!
!Mp^SJ
_Ms(Bef
!>?Mts
Mu~l|lf
M}VCnR
>}m.YX]
Mz9wHHC
n 1UPi
Nce~K^
`N@_Cp
`nhWE;
_+Nj;~
n\JL^(tS
@N/m]6M
NmQ+5_)Us
$n|-Na
NPN$2-
'nr3=o
n=*Rs{
nS"u;pYD
ntdll.dll
NtSetHighWaitLowEventPair
N#upp^
n|=@xi
nZQ{TQ?
,O}0o[
\O0SS"6Y
O3j4do
O7CZo^<F
	o88h}
o'8^}W
o!%|}G
{OGA	IF
OK6ZD]
oleaut32.dll
oO|(I\
=OOq-9(
_o(s!	
.&$oSCf
oSG}qJR
,_=Os|Vw
o.Us\U@
@+oVsh
o"WkL`
P1NT-,
%]P3MUh
P9|);R
PB2tP4S
pd3:D*
pE7Qw}
pFQsp-
[PjsVV
(PnuL{
poeVE=
]PpM0V
P#q]O`
PS<H_;	<8
PsnT-{4
_PSqCiPg
$=PSqkAQg
PU|}YO
p;v.k@u
#[PwdM
pYlTgm$
q2DRs0
-q4\/E
*q4T7/
,q4T-f
*q4To)
)q4Trd/
.q4TWd
+-q4%U
.q4U7fs]F@
(q4UG?5
q=+)AF
	qA$k&
	q;~d8
qEj*QjEj
qf9u4D
q	FhD3]
qHYYCn
QkqZYQg
QL7KPau&T#
QL7KPbu&T%
QmxU"\y
Qp~Q+u
qR_5tf
QrISDr
Q"_wagU0
 QxrW!
Q#Yfmd
Q*;YnR
Q#zbmg
R00O)W+x
R0!0R3&'Gv
Rb+|*t
`.rdata
	r<DKN
r;gnAg
rG:O1g
Rich!l
rjM#G<
rK1*Fh
r&l"r`T&
`r(?.n
Rn~P|)
R|nQh:H
Rnw62%%'
rNyUEC
R,OwT[
(Rs+Eh
*Rs,Eh
RsSU'q
R]SWz*;
Rvy\_v
#'R'W/m5
RyhUy=
S07|2dJ\D
s0E)q4
s4,~&0
s4/^"0O_&
s4*/X0
#*S<"a,
SafeArrayCopy
\saU&Y
S;)E%K
S"]]F`
S#"^fg
!@sgwD
`.S(hz
\\>%S"IDLe
sj<QrKSDY
s,jsUu
sKA18Q 
SkqXQUg
S`pEe8q
s-PSq[
S;q8.r
S[qqYPg
Ss8VWg
SsFVWg
sSFX!c
SSqdYUg
Ss#VWg
StrfTdH
s.U5XC
sY3ZQN
syn|.@
 %SZeB
T5X|Q(j
T"A]>f
TAOe0s
@T%Fpo
TgZVCAP
"@-tH0
;tHdw5c
!This program cannot be run in DOS mode.
[tK{Q`
:=t`*lY%:- 
T#N]2a
T}O|%*k
T"o(U*
t^PSqkiPg
t&>;!q;
tR+ D^
TSq}APg
TSq}iPg
T'T2j@
tT_zkQE
tv@&(B2
:+TvDP
Tv)jKX
,TxZ_5
!ty)jN
u:1i2B
u2=yH=
`U3c4r
[U".;5
u$5Hxo	
u*6>?S
`UB_E`
ubfPMm
uBUM_:S
uj }m$
*[uLz7
u:M#ai1vQ<
U"n1Lg
!un }m
un$}m$
UoE_(C
U'>&pbI
U{pjyVg
u=q6.S
U[qd9Wg
U"qYhe
(Us0MV
(Us<5V
U{s?'^a
)Usd%V
user32.dll
UshU_/
.)Us$mA
)Us;-P
,USq~QQg
USq%YUg
)Us~-T
*Us<-U
)Usu-W
,Usw-W
*UsxMV
,U}UR	
Uu#\t-j(Ulo
 uV0	w
UVLT"O
u	+Y\8\m
U]/Z@-j
u,Z@?Se
U"ZX'c
v)2NM){9
VaiJtt
Va-L8p
Vg?X(q
VH/e*n"n_
vib)k`
~Vj/:<
'`vj]Q
),v+!K
VkjwS#
V#*o2e
`vQz;&
~[vr{*
VsgUU"
VSqFiQg
Vs	U_%%PEW
vT]b"P
V"xyEe
VYQ[qt
^,w-[?
-W]07_
w(6]<	
`WaO,H
wB*=4 w
WD ?Kq
We{oar;
|<wGiZ4
w~?H(w
W NTN4
woEwnya<:
wpER	,8|
<W>Py:,
+[WQ-l
W#r_be
,WSqdQPg
WSqZ1Wg
Ww?sLd
XCVcI2Z
^xD\#:	
X_(E(I
XI8eT.
X,	jp~f|
x<l</N
xM2=yH=
Xnm$}mt
$<xN/W
"x'r-Az
?x't:)
y0hE==
Y};8]{
yBaQ*p
`{ YCE
y]\I*7_
yK7SWje
Y-RsNEh
yso	roV
ytp#^]/
?ytuI<H#
@ yTwg
yV";$,d
}yY,'<
y^zkl'2
;)>';z
*-z0r7
"z5@\=6
Z	}8tsC
;zA{:&
(Z}=AZ
ZbQI{R
ziVnytv
"z'j!7
$Zl%zX
zM+jP6
&)Zm ly
ZoO:+j9
`zPQYf
zqQ+%Y
!}Zr/w?
z.sewD
Z"Tey	
ZTsQUo
ZVm:a`
Z?VSqFQQg