Analysis Date2015-11-16 21:15:31
MD5d11b3af24935922b7e67f2490c05240b
SHA17d6e1c1bb6734f3990a5c3cf1130536548fdf551

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a86466828a366eb14b5b9e7a3b491f68 sha1: 9bbe5636ab68385ed56d5306f6bdbe3e9a52fe22 size: 443904
Section.rdata md5: 36191b0561d249efa4284bb239bbff42 sha1: 66ee7bc120fd4cc80796f6480ea0706d6df1be69 size: 512
Section.data md5: 466be1e76fdecd5f425f840c65b29028 sha1: e5b78277f1013b76a119a8178f10dd7b01c47cca size: 512
Section.rsrc md5: ed7009833e41add1616592425af38996 sha1: 55120ce4e5d7a60cf0ad1cd5aafb89912c047265 size: 4608
Timestamp2015-01-06 00:36:08
PEhash67c596383d9522885f0c23972fa10a742ccf1dbc
IMPhash6805bf8810d6c115a47f0a014848ad24
AVMcafeeW32/VirRansom.b
AVMcafeeW32/VirRansom.b
AVCA (E-Trust Ino)Win32/Nabucur.C
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVCA (E-Trust Ino)Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVPadvishno_virus
AVPadvishno_virus
AVCAT (quickheal)Ransom.VirLock.A2
AVRisingTrojan.Win32.PolyRansom.a
AVRisingError Scanning File
AVCAT (quickheal)Ransom.VirLock.A2
AVSophosW32/VirRnsm-C
AVAd-AwareWin32.Virlock.Gen.1
AVSymantecW32.Ransomlock.AO!inf4
AVSymantecW32.Ransomlock.AO!inf4
AVClamAVWin.Trojan.Virlock-9044
AVTrend MicroPE_VIRLOCK.D
AVTrend MicroPE_VIRLOCK.D
AVClamAVWin.Trojan.Virlock-9044
AVTwisterW32.PolyRansom.b.brnk.mg
AVTwisterW32.PolyRansom.b.brnk.mg
AVAuthentiumW32/S-b256b4b7!Eldorado
AVVirusBlokAda (vba32)Virus.VirLock
AVVirusBlokAda (vba32)Virus.VirLock
AVDr. WebWin32.VirLock.10
AVZillya!Virus.Virlock.Win32.1
AVZillya!Virus.Virlock.Win32.1
AVDr. WebWin32.VirLock.10
AVAuthentiumW32/S-b256b4b7!Eldorado
AVEmsisoftWin32.Virlock.Gen.1
AVEmsisoftWin32.Virlock.Gen.1
AVAlwil (avast)MalOb-FE [Cryp]
AVEset (nod32)Win32/Virlock.D virus
AVEset (nod32)Win32/Virlock.D virus
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVFortinetW32/Zegost.ATDB!tr
AVFortinetW32/Zegost.ATDB!tr
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVFrisk (f-prot)no_virus
AVFrisk (f-prot)no_virus
AVAlwil (avast)MalOb-FE [Cryp]
AVF-SecureWin32.Virlock.Gen.1
AVF-SecureWin32.Virlock.Gen.1
AVBitDefenderWin32.Virlock.Gen.1
AVGrisoft (avg)Generic_r.EKW

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\kAsIQowA.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\eicwAQYE.bat
Creates FileC:\7d6e1c1bb6734f3990a5c3cf1130536548fdf551
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\eicwAQYE.bat
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Process"C:\7d6e1c1bb6734f3990a5c3cf1130536548fdf551"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\kAsIQowA.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Starts ServiceBgMMsMHT

Process
↳ C:\7d6e1c1bb6734f3990a5c3cf1130536548fdf551

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\673b_appcompat.txt
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\bkkwgEkQ.bat
Creates FileC:\7d6e1c1bb6734f3990a5c3cf1130536548fdf551
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\bkkwgEkQ.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 1780
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\7d6e1c1bb6734f3990a5c3cf1130536548fdf551"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\7d6e1c1bb6734f3990a5c3cf1130536548fdf551"

Creates ProcessC:\7d6e1c1bb6734f3990a5c3cf1130536548fdf551

Process
↳ C:\7d6e1c1bb6734f3990a5c3cf1130536548fdf551

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\YUIsAwQI.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\VyEwIMsE.bat
Creates FileC:\7d6e1c1bb6734f3990a5c3cf1130536548fdf551
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\VyEwIMsE.bat
Creates Process"C:\7d6e1c1bb6734f3990a5c3cf1130536548fdf551"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\YUIsAwQI.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\7d6e1c1bb6734f3990a5c3cf1130536548fdf551"

Process
↳ "C:\7d6e1c1bb6734f3990a5c3cf1130536548fdf551"

Creates ProcessC:\7d6e1c1bb6734f3990a5c3cf1130536548fdf551

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileoYYo.ico
Creates FileYMog.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileAwUU.ico
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileQgso.exe
Creates FileC:\RCX2.tmp
Creates Filemkgq.exe
Creates FileeusY.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileAooA.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
Creates FileC:\RCX5.tmp
Creates FileAYUE.exe
Creates FileEyAg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\RCXF.tmp
Creates FilecAUe.exe
Creates Filewkcs.ico
Creates FileC:\RCX12.tmp
Creates FilewIkI.ico
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates Filekqck.ico
Creates FileC:\RCXE.tmp
Creates FilekgQi.exe
Creates FilewQAQ.ico
Creates FileECQI.ico
Creates FilegcgM.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileEWAY.ico
Creates FileAkkU.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FilePIPE\wkssvc
Creates FileEQAC.exe
Creates FilesoMi.exe
Creates FileksUS.exe
Creates FileEwYO.exe
Creates FileiEsY.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FilewUsE.ico
Creates FileC:\RCX1D.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FilekOUA.ico
Creates FileqAEE.exe
Creates FileC:\RCX17.tmp
Creates FileoYMo.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FileMSQc.ico
Creates FilescUa.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileUeYQ.ico
Creates FilesSUU.ico
Creates FileMwQy.exe
Creates FilecYUa.exe
Creates FileC:\RCX3.tmp
Creates FileC:\RCX20.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileoEks.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FilegMok.exe
Creates FileUOAg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FilesiUg.ico
Creates FilewEEQ.ico
Creates FileAMMk.exe
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates FilewMYs.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1.tmp
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates FileQcUo.ico
Creates FileIoYY.exe
Creates FileAEso.exe
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\RCX21.tmp
Creates FilegAww.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FilesqEA.ico
Creates FilesiQk.ico
Creates FileC:\RCX19.tmp
Creates FilesKEs.ico
Creates FileYAoA.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileIYAw.ico
Creates FileC:\RCX1C.tmp
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\RCX1A.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileAskg.exe
Creates FileIkEI.exe
Creates FileC:\RCX8.tmp
Creates FileggwE.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileMSQk.ico
Creates FileYIgU.ico
Creates FilePIPE\DAV RPC SERVICE
Creates FilecYoW.exe
Creates FileEIYe.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FilewMwY.ico
Creates FileC:\RCX16.tmp
Creates Fileckwa.exe
Creates Filewwck.ico
Creates FilesGEs.ico
Creates FileC:\RCX4.tmp
Creates FileAIkk.exe
Creates FileEEES.exe
Creates FileUoEG.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FilekYAy.exe
Creates FileMyMA.ico
Deletes FileoYYo.ico
Deletes FileYMog.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileAwUU.ico
Deletes FileQgso.exe
Deletes Filemkgq.exe
Deletes FileUeYQ.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileeusY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FilesSUU.ico
Deletes FileAooA.exe
Deletes FilecYUa.exe
Deletes FileMwQy.exe
Deletes FileAYUE.exe
Deletes FileEyAg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FilecAUe.exe
Deletes Filewkcs.ico
Deletes FileoEks.ico
Deletes FilewIkI.ico
Deletes FilegMok.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FileUOAg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FilesiUg.ico
Deletes FileAMMk.exe
Deletes FilewEEQ.ico
Deletes FilewMYs.exe
Deletes Filekqck.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FilekgQi.exe
Deletes FilewQAQ.ico
Deletes FileECQI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileQcUo.ico
Deletes FilegcgM.exe
Deletes FileAEso.exe
Deletes FileIoYY.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FilegAww.exe
Deletes FilesqEA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileEWAY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FilesiQk.ico
Deletes FilesKEs.ico
Deletes FileYAoA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileAkkU.exe
Deletes FileIYAw.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileEQAC.exe
Deletes FilesoMi.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileAskg.exe
Deletes FileIkEI.exe
Deletes FileggwE.ico
Deletes FileksUS.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileiEsY.exe
Deletes FileEwYO.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileMSQk.ico
Deletes FilewUsE.ico
Deletes FileYIgU.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FilecYoW.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FilewMwY.ico
Deletes FileEIYe.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes Fileckwa.exe
Deletes Filewwck.ico
Deletes FilesGEs.ico
Deletes FilekOUA.ico
Deletes FileqAEE.exe
Deletes FileoYMo.ico
Deletes FileAIkk.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Deletes FileMSQc.ico
Deletes FileEEES.exe
Deletes FileUoEG.exe
Deletes FilekYAy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileMyMA.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FilescUa.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF4F4A.tmp
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ Pid 1020

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1872

Process
↳ Pid 1156

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\kAsIQowA.bat" "C:\malware.exe""

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 1780

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\YUIsAwQI.bat" "C:\malware.exe""

Network Details:

DNSgoogle.com
Type: A
216.58.219.174
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.219.174:80
Flows TCP192.168.1.1:1032 ➝ 216.58.219.174:80

Raw Pcap

Strings