Analysis Date2015-12-08 15:41:32
MD5aa8c00f5ab855df2c7939d5feef3325d
SHA18ef344313187e04f520a490e7e47064f74801e92

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 232f832bbee4b631a4d0c1faa2d61896 sha1: 6a8aed976d981fc8076adc8e6fd36e097bd02c44 size: 443904
Section.rdata md5: c8f0e10857c25f47af9e40c9df6a551f sha1: 6e7b9eba1e28c9ca853dd9a985385d5741233109 size: 512
Section.data md5: 08497508a2a453d14139ef0ecb9a6092 sha1: 258f983fa30230e97163e066a385d0e13e7e887f size: 512
Section.rsrc md5: 2adcacaa5dc7bac30aa2be4c91caea99 sha1: ef1f2b5a427942af8467712de1a752e457a5415b size: 4608
Timestamp2015-01-06 00:36:08
PEhash67c596383d9522885f0c23972fa10a742ccf1dbc
IMPhash05f358bb0e49d477dc0064f80aa7a45c
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVAd-AwareWin32.Virlock.Gen.1
AVAd-AwareWin32.Virlock.Gen.1
AVFrisk (f-prot)no_virus
AVF-SecureWin32.Virlock.Gen.1
AVF-SecureWin32.Virlock.Gen.1
AVGrisoft (avg)Generic_r.EKW
AVGrisoft (avg)Generic_r.EKW
AVIkarusVirus-Ransom.FileLocker
AVIkarusVirus-Ransom.FileLocker
AVK7Trojan ( 0040f9f31 )
AVK7Trojan ( 0040f9f31 )
AVKasperskyVirus.Win32.PolyRansom.b
AVKasperskyVirus.Win32.PolyRansom.b
AVMalwareBytesTrojan.VirLock
AVMalwareBytesTrojan.VirLock
AVMcafeeW32/VirRansom.b
AVMcafeeW32/VirRansom.b
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVRisingTrojan.Win32.PolyRansom.a
AVRisingTrojan.Win32.PolyRansom.a
AVSophosW32/VirRnsm-C
AVSymantecW32.Ransomlock.AO!inf4
AVSymantecW32.Ransomlock.AO!inf4
AVTrend MicroPE_VIRLOCK.D
AVTrend MicroPE_VIRLOCK.D
AVTwisterW32.PolyRansom.b.brnk.mg
AVTwisterW32.PolyRansom.b.brnk.mg
AVVirusBlokAda (vba32)Virus.VirLock
AVVirusBlokAda (vba32)Virus.VirLock
AVZillya!Virus.Virlock.Win32.1
AVZillya!Virus.Virlock.Win32.1
AVAlwil (avast)MalOb-FE [Cryp]
AVAlwil (avast)MalOb-FE [Cryp]
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVAuthentiumW32/S-b256b4b7!Eldorado
AVAuthentiumW32/S-b256b4b7!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBitDefenderWin32.Virlock.Gen.1
AVBitDefenderWin32.Virlock.Gen.1
AVBullGuardWin32.Virlock.Gen.1
AVBullGuardWin32.Virlock.Gen.1
AVCA (E-Trust Ino)Win32/Nabucur.C
AVCA (E-Trust Ino)Win32/Nabucur.C
AVCAT (quickheal)Ransom.VirLock.A2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\XakYkQMo.bat
Creates FileC:\8ef344313187e04f520a490e7e47064f74801e92
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\QgcwQQUY.bat
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\QgcwQQUY.bat
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\XakYkQMo.bat" "C:\malware.exe""
Creates Process"C:\8ef344313187e04f520a490e7e47064f74801e92"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\8ef344313187e04f520a490e7e47064f74801e92

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\bYQQAoks.bat
Creates FileC:\8ef344313187e04f520a490e7e47064f74801e92
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NIcUkwQY.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\bYQQAoks.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\NIcUkwQY.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\8ef344313187e04f520a490e7e47064f74801e92"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\8ef344313187e04f520a490e7e47064f74801e92"

Creates ProcessC:\8ef344313187e04f520a490e7e47064f74801e92

Process
↳ "C:\8ef344313187e04f520a490e7e47064f74801e92"

Creates ProcessC:\8ef344313187e04f520a490e7e47064f74801e92

Process
↳ "C:\8ef344313187e04f520a490e7e47064f74801e92"

Creates ProcessC:\8ef344313187e04f520a490e7e47064f74801e92

Process
↳ C:\8ef344313187e04f520a490e7e47064f74801e92

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\8f8d_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 1856

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\8ef344313187e04f520a490e7e47064f74801e92

Creates FileC:\8ef344313187e04f520a490e7e47064f74801e92
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\kSEEYQAY.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\iCwoQskY.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\kSEEYQAY.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\iCwoQskY.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\8ef344313187e04f520a490e7e47064f74801e92"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileYEcM.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FilekYMq.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
Creates FileC:\RCX5.tmp
Creates FileQUQw.ico
Creates Fileqmwo.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileWAIo.ico
Creates FileC:\RCXF.tmp
Creates FileC:\RCX12.tmp
Creates FilewocY.ico
Creates FilewMYg.ico
Creates FileIQoY.ico
Creates FileEgoe.exe
Creates FileMucU.ico
Creates FileggQs.ico
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FileC:\RCXE.tmp
Creates FilekOoU.ico
Creates FileYsgE.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileIYcA.exe
Creates FileC:\RCXC.tmp
Creates FileEwEi.exe
Creates FilemGYE.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FilekUMy.exe
Creates FilePIPE\wkssvc
Creates FileUcAO.exe
Creates FileEcoS.exe
Creates FileKIsU.ico
Creates FileQoos.exe
Creates FileqMEA.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileUgIe.exe
Creates FileC:\RCX1D.tmp
Creates FilecmYA.ico
Creates FilewwUw.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileC:\RCX17.tmp
Creates FileQwgE.exe
Creates FileOggu.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FilekSYI.ico
Creates FileEMYm.exe
Creates FilecgEW.exe
Creates FileYcIQ.ico
Creates Filecqgg.ico
Creates FileAcoQ.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileUekk.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FilesKsg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileUeUM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileQosc.exe
Creates FileEskS.exe
Creates FileC:\RCX3.tmp
Creates FileC:\RCX20.tmp
Creates Filekasg.ico
Creates FileC:\RCXB.tmp
Creates FileGmUs.ico
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileaggG.exe
Creates FilewIsE.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FilekkwS.exe
Creates FilecmAI.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileQwow.exe
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileWSwE.ico
Creates FileMqos.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates FileAgYM.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1.tmp
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FileckgE.exe
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates FilesMMS.exe
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\RCX21.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FilecGQk.ico
Creates FileC:\RCX19.tmp
Creates FilecaEE.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\RCX1C.tmp
Creates FileIksY.ico
Creates FileEIYS.exe
Creates FilesAIk.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileEGsU.ico
Creates FileC:\RCX1A.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FilekckS.exe
Creates FileC:\RCX8.tmp
Creates FileMcMe.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileUIke.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF34E4.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FilewUgo.ico
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FilecgMa.exe
Creates FileYUQY.exe
Creates FilewsAA.ico
Creates FileC:\RCX16.tmp
Creates FileQkoc.ico
Creates FilesYgW.exe
Creates Fileokcc.ico
Creates FileC:\RCX4.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Deletes FilesKsg.ico
Deletes FileUeUM.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileYEcM.exe
Deletes FileQosc.exe
Deletes FileEskS.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FilekYMq.exe
Deletes FileQUQw.ico
Deletes Fileqmwo.ico
Deletes Filekasg.ico
Deletes FileGmUs.ico
Deletes FileWAIo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileaggG.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FilewocY.ico
Deletes FilewMYg.ico
Deletes FilewIsE.ico
Deletes FileIQoY.ico
Deletes FilekkwS.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FilecmAI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileQwow.exe
Deletes FileEgoe.exe
Deletes FileMucU.ico
Deletes FileWSwE.ico
Deletes FileMqos.ico
Deletes FileggQs.ico
Deletes FileAgYM.exe
Deletes FileckgE.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FilekOoU.ico
Deletes FileYsgE.exe
Deletes FilesMMS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FilecGQk.ico
Deletes FileIYcA.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FilecaEE.ico
Deletes FileEwEi.exe
Deletes FilemGYE.ico
Deletes FileIksY.ico
Deletes FilesAIk.exe
Deletes FileEIYS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileEGsU.ico
Deletes FilekUMy.exe
Deletes FileUcAO.exe
Deletes FileEcoS.exe
Deletes FilekckS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileKIsU.ico
Deletes FileQoos.exe
Deletes FileMcMe.exe
Deletes FileqMEA.exe
Deletes FileUIke.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FilewUgo.ico
Deletes FileUgIe.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FilecmYA.ico
Deletes FilecgMa.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FilewwUw.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileYUQY.exe
Deletes FilewsAA.ico
Deletes FileQkoc.ico
Deletes FilesYgW.exe
Deletes FileOggu.exe
Deletes FileQwgE.exe
Deletes Fileokcc.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Deletes FilekSYI.ico
Deletes FileEMYm.exe
Deletes FilecgEW.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileYcIQ.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes Filecqgg.ico
Deletes FileAcoQ.exe
Deletes FileUekk.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 856

Process
↳ Pid 1024

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1148

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\XakYkQMo.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\NIcUkwQY.bat" "C:\malware.exe""

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 1856

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\iCwoQskY.bat" "C:\malware.exe""

Network Details:

DNSgoogle.com
Type: A
216.58.219.142
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1032 ➝ 216.58.219.142:80

Raw Pcap

Strings