Analysis Date2015-10-20 15:15:16
MD542f2eb95244dfefe7d69f3a5b816ad89
SHA1680dcd600f8b193da7c1471ca78fab4dcf3b13fd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2880d5ce2fe147ae39b11c8bc8d7e647 sha1: c00cfe47ede87d7a97127f4f53e856459abdb6aa size: 442880
Section.rdata md5: 5d35344bd8c9aeff846bd73108c83aa6 sha1: c597fcbe7fc5c04f3e94efdd52c64461b73efebb size: 512
Section.data md5: a8560ee2eaf91c7f8fe73fbdc5e5736a sha1: 89466df3cedc45ca324fa701e2a4fd02173e7545 size: 512
Section.rsrc md5: ea61dc103a99a26afccdc9678bbd3159 sha1: 974e8809ea80f2c59a498b9d1430a8d6b2a0bf59 size: 4608
Timestamp2015-01-06 00:36:08
PEhashb662c3803f95702285a159acccbf5e8ddf8052de
IMPhash95e04ce5157315306089cf2580dd250c
AVCA (E-Trust Ino)Win32/Nabucur.C
AVF-SecureWin32.Virlock.Gen.1
AVDr. WebWin32.VirLock.10
AVClamAVno_virus
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVBullGuardWin32.Virlock.Gen.1
AVPadvishno_virus
AVVirusBlokAda (vba32)Virus.VirLock
AVCAT (quickheal)Ransom.VirLock.A2
AVTrend MicroPE_VIRLOCK.D
AVKasperskyVirus.Win32.PolyRansom.b
AVZillya!Virus.Virlock.Win32.1
AVEmsisoftWin32.Virlock.Gen.1
AVIkarusVirus-Ransom.FileLocker
AVFrisk (f-prot)no_virus
AVAuthentiumW32/S-b256b4b7!Eldorado
AVMalwareBytesTrojan.VirLock
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVK7Trojan ( 0040f9f31 )
AVBitDefenderWin32.Virlock.Gen.1
AVFortinetW32/Zegost.ATDB!tr
AVSymantecW32.Ransomlock.AO!inf4
AVGrisoft (avg)Generic_r.EKW
AVEset (nod32)Win32/Virlock.G virus
AVAlwil (avast)MalOb-FE [Cryp]
AVAd-AwareWin32.Virlock.Gen.1
AVTwisterW32.PolyRansom.b.brnk.mg
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVMcafeeW32/VirRansom.b
AVRisingTrojan.Win32.PolyRansom.a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aakowkkI.bat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\juIscMsc.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\aakowkkI.bat
Creates Process"C:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd"
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\juIscMsc.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd

Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 3744 -e 1904 -g
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd"

Creates ProcessC:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd

Process
↳ C:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd

Creates FileC:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\amsMEQAw.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DssEcEQQ.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\amsMEQAw.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\DssEcEQQ.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd"

Creates ProcessC:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd"

Creates ProcessC:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd

Process
↳ C:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd

Creates FileC:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\JaIAAEok.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\bQIMIEEs.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\JaIAAEok.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\bQIMIEEs.bat" "C:\malware.exe""
Creates Process"C:\680dcd600f8b193da7c1471ca78fab4dcf3b13fd"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileOIwg.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
Creates FileC:\RCX5.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\RCXF.tmp
Creates FileKaYw.ico
Creates FileC:\RCX12.tmp
Creates FileCQcK.exe
Creates Filewccc.ico
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FileescU.exe
Creates FileC:\RCXE.tmp
Creates FileiEIu.exe
Creates FileWIYU.ico
Creates FileScEC.exe
Creates FileCuYE.ico
Creates FileckwW.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileWoAI.ico
Creates FileC:\RCXC.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FilePIPE\wkssvc
Creates FileeMgY.ico
Creates FileeUgE.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FilemsAc.ico
Creates FileC:\RCX1D.tmp
Creates FileqIkS.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileWkgA.exe
Creates FileWsAY.ico
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileqswC.exe
Creates FileC:\RCX17.tmp
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FileMAgy.exe
Creates FilemQIQ.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileCqkk.ico
Creates FileSIsW.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF17FC.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileqqwA.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileGYow.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileyskK.exe
Creates FileyCoM.ico
Creates FilekCgM.ico
Creates FileukgM.ico
Creates FileegQQ.ico
Creates FileKukE.ico
Creates FileC:\RCX3.tmp
Creates Filemqkk.ico
Creates FileC:\RCX20.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileiOEQ.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileCqQw.ico
Creates FileKIQi.exe
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileUMce.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1.tmp
Creates FileWgQc.exe
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FileSEAm.exe
Creates FileeEkA.ico
Creates Filekgcm.exe
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\RCX21.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\RCX19.tmp
Creates FileqYoC.exe
Creates FileakcE.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\RCX1C.tmp
Creates Fileuoog.ico
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileuSks.ico
Creates FileC:\RCX1A.tmp
Creates FileyCQg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileKmcU.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileCCUU.ico
Creates FileiUso.ico
Creates FileC:\RCX8.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileOYIo.ico
Creates FileqIke.exe
Creates FileKUQy.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileuAgk.exe
Creates Fileqekk.ico
Creates FileuUkQ.ico
Creates FilePIPE\DAV RPC SERVICE
Creates FilemYcs.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileqgEO.exe
Creates FileWsko.ico
Creates FileC:\RCX16.tmp
Creates FileqMcE.ico
Creates FileOIcY.exe
Creates FileyOgg.ico
Creates FileC:\RCX4.tmp
Creates FilescMi.exe
Creates FileuUQc.exe
Creates FileCEYM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileOQAY.exe
Creates FileMAUs.ico
Creates FileWAEk.exe
Creates FilemooU.exe
Deletes FileqqwA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileOIwg.exe
Deletes FileGYow.exe
Deletes FileyskK.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileyCoM.ico
Deletes FilekCgM.ico
Deletes FileegQQ.ico
Deletes FileukgM.ico
Deletes FileKukE.ico
Deletes Filemqkk.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileKaYw.ico
Deletes FileiOEQ.ico
Deletes FileCQcK.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileCqQw.ico
Deletes FileKIQi.exe
Deletes FileUMce.exe
Deletes Filewccc.ico
Deletes FileWgQc.exe
Deletes FileescU.exe
Deletes FileSEAm.exe
Deletes Filekgcm.exe
Deletes FileeEkA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileiEIu.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileWIYU.ico
Deletes FileScEC.exe
Deletes FileCuYE.ico
Deletes FileckwW.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileWoAI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileakcE.exe
Deletes FileqYoC.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes Fileuoog.ico
Deletes FileuSks.ico
Deletes FileyCQg.ico
Deletes FileKmcU.ico
Deletes FileeMgY.ico
Deletes FileCCUU.ico
Deletes FileeUgE.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileiUso.ico
Deletes FileOYIo.ico
Deletes FileqIke.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileKUQy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FilemsAc.ico
Deletes FileuUkQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileuAgk.exe
Deletes Fileqekk.ico
Deletes FileqIkS.exe
Deletes FilemYcs.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileqgEO.exe
Deletes FileWkgA.exe
Deletes FileWsAY.ico
Deletes FileqMcE.ico
Deletes FileWsko.ico
Deletes FileqswC.exe
Deletes FileOIcY.exe
Deletes FileyOgg.ico
Deletes FilescMi.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Deletes FileCEYM.ico
Deletes FileuUQc.exe
Deletes FileMAgy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileOQAY.exe
Deletes FileMAUs.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FilemQIQ.exe
Deletes FileCqkk.ico
Deletes FileSIsW.exe
Deletes FileWAEk.exe
Deletes FilemooU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\juIscMsc.bat" "C:\malware.exe""

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 3744 -e 1904 -g

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\bQIMIEEs.bat" "C:\malware.exe""

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 856

Process
↳ Pid 1024

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1848

Process
↳ Pid 1064

Network Details:

DNSgoogle.com
Type: A
74.125.21.113
DNSgoogle.com
Type: A
74.125.21.102
DNSgoogle.com
Type: A
74.125.21.101
DNSgoogle.com
Type: A
74.125.21.100
DNSgoogle.com
Type: A
74.125.21.139
DNSgoogle.com
Type: A
74.125.21.138
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 74.125.21.113:80
Flows TCP192.168.1.1:1032 ➝ 74.125.21.113:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....


Strings