Analysis Date2016-01-28 03:19:30
MD5c54844da0db07708391dfb5e1748bbb2
SHA19b521eec5bcabe6785176a4cc13db5b6e9fb46e8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 73904776f1147715793302b5cb170791 sha1: 43705139d8430d1979885206ace0eddb5a6adc81 size: 1116672
Section.rdata md5: 82d907d53fb0681d3203d5ffaf7066c7 sha1: f6c3dfa49b3e06384d47de250a202c74b65fa8c2 size: 512
Section.data md5: 5096df33d873714e520ce89be4809114 sha1: b9a22aae56bc362f6181cce59886bc67555d2262 size: 512
Section.rsrc md5: 530d6ac6e759b9c7ffe6b10db692942b sha1: e3a4e85f51afc6e4fbeb068cabbb9c1e7605e6b6 size: 4608
Timestamp2015-01-06 00:36:08
PEhash23d056e1a7995046d77bc3ec4cb7742186767521
IMPhashca94094854a4283b965f4adedb4131f9
AVRisingTrojan.Win32.PolyRansom.a
AVMcafeeW32/VirRansom.b
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVTwisterW32.PolyRansom.b.brnk.mg
AVAd-AwareWin32.Virlock.Gen.1
AVAlwil (avast)VirLock-B [Trj]
AVEset (nod32)Win32/Virlock.D virus
AVGrisoft (avg)Generic_r.EKW
AVSymantecW32.Ransomlock.AO!inf4
AVFortinetW32/Zegost.ATDB!tr
AVBitDefenderWin32.Virlock.Gen.1
AVK7Trojan ( 0040f9f31 )
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVMalwareBytesTrojan.VirLock
AVAuthentiumW32/S-7d685898!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusVirus-Ransom.FileLocker
AVEmsisoftWin32.Virlock.Gen.1
AVZillya!Virus.Virlock.Win32.1
AVKasperskyVirus.Win32.PolyRansom.b
AVTrend MicroPE_VIRLOCK.D
AVCAT (quickheal)Ransom.VirLock.A2
AVVirusBlokAda (vba32)Virus.VirLock
AVBullGuardWin32.Virlock.Gen.1
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVClamAVNo Virus
AVDr. WebWin32.VirLock.10
AVF-SecureWin32.Virlock.Gen.1
AVCA (E-Trust Ino)Win32/Nabucur.C

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\CQsUwsMw.bat
Creates FileC:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tkwAYkYs.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\CQsUwsMw.bat
Creates Process"C:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\tkwAYkYs.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Starts ServiceBgMMsMHT

Process
↳ C:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ucIUQMkM.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\YGcwwsMo.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ucIUQMkM.bat
Creates Process"C:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\YGcwwsMo.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8"

Creates ProcessC:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8

Process
↳ "C:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8"

Creates ProcessC:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\YGcwwsMo.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\YGcwwsMo.bat
Deletes FileC:\malware.exe
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\ouIswIgQ.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ouIswIgQ.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ouIswIgQ.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WUEEAMYs.bat
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\WUEEAMYs.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\ouIswIgQ.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8"

Creates ProcessC:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\\\xe3\\xe8\\xb0\\xe3\\xe0\\xb0\\xe3\\xd0\\xac\\xe3\\xcc\\xb5\\xe2\\xb0\\xa2\\xe3\\xcc\\xa2\\xe3\\xd0\\xb4\\xe2\\x88\\xb4\\xe2\\x88\\xac\\xe3\\xe9\\x83\\xe5\\xdd\\x9c\\xe4\\xb9\\x89\\xe4\\xbd\\x84\\xe5\\xcd\\x97\\xe7\\xcd\\x9c\\xe7\\xcd\\xb9\\xe6\\x95\\xb4\\xe3\\xcd\\xad\\xe5\\xf0\\xb2\\xe6\\x95\\xb2\\xe2\\xb9\\xa7\\xe7\\xe1\\xa5\\xe2\\x89\\xa5\\xe2\\x88\\xac\\xe3\\xd0\\xb3\\xe3\\xe0\\xb4\\xe2\\xb0\\xa2\\xe3\\xcc\\xa2\\xe3\\xd0\\xb6\\xe2\\xb0\\xa2\\xe7\\xc8\\xa2\\xe6\\x9d\\xa5\\xe7\\xcd\\xa9\\xe7\\xc9\\xb4\\xe2\\x89\\xb9\\xe2\\x88\\xac\\xe6\\x95\\x92\\xe5\\xc5\\xa7\\xe6\\x95\\xb5\\xe7\\xe5\\xb2\\xe6\\x85\\x96\\xe7\\xd5\\xac\\xe4\\x95\\xa5\\xe5\\xdd\\xb8\\xe2\\xb0\\xa2\\xe4\\x98\\xa2\\xe4\\xa5\\x81\\xe5\\xd5\\x8c\\xe4\\x95\\x92\\xe2\\xb0\\xa2\\xe3\\xc0\\xa2\\xe3\\xc1\\xb8\\xe3\\xc0\\xb0\\xe3\\xc0\\xb0\\xe3\\xc0\\xb0\\xe2\\x88\\xb2\\xe2\\x88\\xac\\xe6\\x85\\x88\\xe6\\x91\\xae\\xe6\\x95\\xac\\xe3\\xf8\\xad\\xe7\\xe0\\xb0\\xe3\\xc0\\xb0\\xe3\\xc0\\xb0\\xe3\\xc0\\xb0\\xe6\\x8c\\xb7\\xe2\\xb0\\xa2\\xe5\\xd8\\xa2\\xe6\\xb1\\xa1\\xe6\\x95\\xb5\\xe6\\x85\\x8e\\xe6\\x95\\xad\\xe3\\xf8\\xad\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xe1\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa4\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xd5\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa4\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe3\\xd1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe0\\xb8\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xcc\\xb8\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe6\\x91\\xa4\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xd1\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xe4\\xb8\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe6\\x91\\xa2\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xdc\\xb9\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe6\\x91\\xa3\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xe5\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd4\\xb9\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe6\\x91\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xc1\\xa6\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xc9\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe5\\xa2\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xd5\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe4\\xb8\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe6\\x8d\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe6\\x8d\\xa4\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xe1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa4\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xc1\\xa4\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xe1\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd4\\xb8\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xd1\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe6\\x90\\xb9\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa5\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xd0\\xb9\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xe1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xc5\\xa4\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xe1\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd4\\xb8\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xd1\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe0\\xb8\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x91\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xcc\\xb9\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe6\\x90\\xb8\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xd4\\xb8\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe4\\xb8\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe6\\x8d\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xc1\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xd0\\xb9\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xe1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe6\\x90\\xb8\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe6\\x99\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xd5\\xa2\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe6\\x95\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x91\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xc5\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xe1\\xa4\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xdd\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe0\\xb8\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe6\\x84\\xb8\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe0\\xb8\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe6\\x8d\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xd5\\xa4\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xd1\\xa5\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x99\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe6\\x91\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe6\\x91\\xa2\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x91\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xd9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd4\\xb8\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xc9\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xd5\\xa2\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xe5\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe6\\x91\\xa2\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xcd\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xc5\\xa4\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x91\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe6\\x8c\\xb9\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xe5\\xa2\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xd1\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe6\\x91\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xd1\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe6\\x8c\\xb9\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xe5\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xc9\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xc5\\xa4\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa5\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xd8\\xb9\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe6\\x91\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xe5\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xc5\\xa6\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa5\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xd4\\xb8\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xc5\\xa2\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe6\\x99\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xe5\\xa3\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xd1\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe6\\x8c\\xb9\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xe5\\xa4\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xc5\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd4\\xb9\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xd1\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe0\\xb8\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xcc\\xb8\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe6\\x91\\xa3\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xcd\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe0\\xb8\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf1\\xa5\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe6\\x8d\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe6\\x90\\xb8\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xcd\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe6\\x91\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x99\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe6\\x91\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe6\\x8d\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xc5\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe6\\x8d\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xc1\\xa1\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xc5\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xc5\\xa2\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xd5\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf1\\xa5\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xe1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe6\\x8d\\xa4\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xcd\\xa1\\xe5\\xf1\\x9c\\xe2\\x89\\xae\\xe2\\x88\\xac\\xe7\\xe5\\x94\\xe6\\x95\\xb0\\xe3\\xf8\\xad\\xe2\\x88\\xb0\\xe2\\x88\\xac\\xe6\\x85\\x84\\xe6\\x85\\xb4\\xe6\\x95\\x8c\\xe6\\x9d\\xae\\xe6\\xa1\\xb4\\xe3\\xf8\\xad\\xe2\\x88\\xb0\\n ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8

Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\9b521eec5bcabe6785176a4cc13db5b6e9fb46e8
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\gwMIwscQ.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\gwMIwscQ.bat
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 3744 -e 1852 -g
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileuAoS.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileUIEQ.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileMAoc.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileYCow.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FilewKAo.ico
Creates FileC:\RCX5.tmp
Creates FileocMO.exe
Creates FileoCkI.ico
Creates FileC:\RCX3.tmp
Creates FileIqAU.ico
Creates FileisEa.exe
Creates FileC:\RCX10.tmp
Creates FileC:\RCXB.tmp
Creates FileQYcW.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileSMMS.exe
Creates FileYqwo.ico
Creates FileC:\RCXF.tmp
Creates FileC:\RCX12.tmp
Creates FileIQAS.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileyEQA.exe
Creates FilekIsg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FilesAIY.exe
Creates FileC:\RCXD.tmp
Creates FileqwMq.exe
Creates FileOAYI.ico
Creates FileUUQc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FileSEoO.exe
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX6.tmp
Creates FileYuYA.ico
Creates FileC:\RCXE.tmp
Creates FileC:\RCXA.tmp
Creates FileIYoW.exe
Creates Filecucc.ico
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileoQke.exe
Creates FileC:\RCX19.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\RCX1C.tmp
Creates FilescMA.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileEQUE.exe
Creates FileC:\RCX9.tmp
Creates FileC:\RCX1A.tmp
Creates FileIeAQ.ico
Creates FileAYIO.exe
Creates FileGAAc.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileeOAI.ico
Creates FilegEQs.ico
Creates FileYkAm.exe
Creates FileC:\RCX8.tmp
Creates FileOowc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates Filemskc.ico
Creates FileYQcO.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FilewYca.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileIUYa.exe
Creates FileC:\RCX1D.tmp
Creates FileYsIy.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FilegGsc.ico
Creates FilecAAo.ico
Creates FilegAUg.exe
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileccAw.ico
Creates FilewUQS.exe
Creates FileQCYg.ico
Creates FileC:\RCX16.tmp
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileCOcI.ico
Creates FileC:\RCX17.tmp
Creates FileIskK.exe
Creates FileMQUw.ico
Creates FileC:\RCX4.tmp
Creates FileKAEa.exe
Creates FileOEsQ.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileckEY.ico
Creates FileKMwc.ico
Creates FileoiMI.ico
Creates FileSgAK.exe
Creates FileAUEK.exe
Creates FilekcgY.ico
Creates FileQikc.ico
Creates FileWMQc.ico
Creates FilekUwk.ico
Deletes FileuAoS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileUIEQ.exe
Deletes FileMAoc.exe
Deletes FileYCow.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FilewKAo.ico
Deletes FileocMO.exe
Deletes FileoCkI.ico
Deletes FileisEa.exe
Deletes FileQYcW.exe
Deletes FileSMMS.exe
Deletes FileYqwo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileIQAS.exe
Deletes FileyEQA.exe
Deletes FilekIsg.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FilesAIY.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileqwMq.exe
Deletes FileOAYI.ico
Deletes FileUUQc.ico
Deletes FileSEoO.exe
Deletes FileYuYA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileIYoW.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes Filecucc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileoQke.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FilescMA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileEQUE.exe
Deletes FileIeAQ.ico
Deletes FileAYIO.exe
Deletes FileGAAc.exe
Deletes FileeOAI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FilegEQs.ico
Deletes FileYkAm.exe
Deletes FileOowc.ico
Deletes Filemskc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileYQcO.exe
Deletes FilewYca.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileIUYa.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileYsIy.exe
Deletes FilegGsc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FilecAAo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FilegAUg.exe
Deletes FileccAw.ico
Deletes FilewUQS.exe
Deletes FileQCYg.ico
Deletes FileCOcI.ico
Deletes FileMQUw.ico
Deletes FileIskK.exe
Deletes FileOEsQ.ico
Deletes FileKAEa.exe
Deletes FileKMwc.ico
Deletes FileckEY.ico
Deletes FileoiMI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileSgAK.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FilekcgY.ico
Deletes FileQikc.ico
Deletes FileWMQc.ico
Deletes FilekUwk.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1148

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\tkwAYkYs.bat" "C:\malware.exe""

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 3744 -e 1852 -g

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network Details:

DNSgoogle.com
Type: A
64.233.185.100
DNSgoogle.com
Type: A
64.233.185.139
DNSgoogle.com
Type: A
64.233.185.138
DNSgoogle.com
Type: A
64.233.185.113
DNSgoogle.com
Type: A
64.233.185.102
DNSgoogle.com
Type: A
64.233.185.101
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 64.233.185.100:80
Flows TCP192.168.1.1:1032 ➝ 64.233.185.100:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....


Strings