Analysis Date2015-01-14 13:52:21
MD57e12363b1beddc28787e5603de89223b
SHA1ab14c25d1deb2914b206caa2068f9910ababe83b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash87e4f27cdefbf48f01c523261a5b94f01bf17d8a
IMPhash
AV360 Safeno_virus
AVAd-AwareTrojan.Obfus.3.Gen
AVAlwil (avast)VirLock-A:Win32:VirLock-A
AVArcabit (arcavir)Trojan.Obfus.3.Gen
AVAuthentiumW32/S-7136ec3b!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardTrojan.Obfus.3.Gen
AVCA (E-Trust Ino)Win32/Nabucur.A
AVCAT (quickheal)Ransom.VirLock.A2
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Obfus.3.Gen
AVEset (nod32)Win32/Virlock.G virus
AVFortinetW32/Agent.NCA
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Obfus.3.Gen
AVGrisoft (avg)Win32/Cryptor
AVIkarusVirus-Ransom.FileLocker
AVK7Virus ( 0040f99f1 )
AVKasperskyVirus.Win32.PolyRansom.a
AVMalwareBytesTrojan.VirLock
AVMcafeeTrojan-FFGO!7E12363B1BED
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.gen!A
AVMicroWorld (escan)Trojan.Obfus.3.Gen
AVRisingno_virus
AVSophosW32/VirRnsm-A
AVSymantecW32.Ransomlock.AO!inf
AVTrend MicroPE_FINALDO.F
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zuUosIMA.bat
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wgAgYwEE.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\wgAgYwEE.bat
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates ProcessC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates ProcessC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\zuUosIMA.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\jKUsYMkw.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\iuggQkck.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\gOkEUYcw.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rmUkcwkU.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\gOkEUYcw.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\rmUkcwkU.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\scwQAIAE.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qEMMcEIY.bat
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\pIIIwUko.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\pIIIwUko.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\\\xe3\\xe8\\xb4\\xe3\\xd4\\xb2\\xe3\\xcc\\xac\\xe3\\xe4\\xb5\\xe2\\xb0\\xa2\\xe3\\xc8\\xa2\\xe3\\xc4\\xb0\\xe2\\x88\\xb6\\xe2\\x88\\xac\\xe3\\xe9\\x83\\xe5\\xdd\\x9c\\xe4\\xb9\\x89\\xe4\\xbd\\x84\\xe5\\xcd\\x97\\xe7\\xcd\\x9c\\xe7\\xcd\\xb9\\xe6\\x95\\xb4\\xe3\\xcd\\xad\\xe5\\xf0\\xb2\\xe6\\x95\\xb2\\xe2\\xb9\\xa7\\xe7\\xe1\\xa5\\xe2\\x89\\xa5\\xe2\\x88\\xac\\xe3\\xc8\\xb2\\xe3\\xc0\\xb8\\xe2\\xb0\\xa2\\xe3\\xcc\\xa2\\xe3\\xc8\\xb9\\xe2\\xb0\\xa2\\xe7\\xcc\\xa2\\xe7\\xcd\\xb9\\xe6\\x95\\xb4\\xe2\\x89\\xad\\xe2\\x88\\xac\\xe6\\x91\\x8c\\xe4\\xb1\\xb2\\xe6\\x85\\xaf\\xe4\\x91\\xa4\\xe6\\xb1\\xac\\xe2\\xb0\\xa2\\xe5\\xcc\\xa2\\xe4\\x8d\\x95\\xe4\\x95\\x83\\xe5\\xcd\\x93\\xe2\\xb0\\xa2\\xe3\\xc0\\xa2\\xe3\\xc1\\xb8\\xe3\\xc0\\xb0\\xe3\\xc0\\xb0\\xe3\\xc0\\xb0\\xe2\\x88\\xb0\\xe2\\x88\\xac\\xe6\\xb1\\x86\\xe6\\x9d\\xa1\\xe2\\xb5\\xb3\\xe3\\xc4\\xbe\\xe3\\xc0\\xb7\\xe3\\xdc\\xb3\\xe3\\xd0\\xb8\\xe2\\xb0\\xa2\\xe4\\x98\\xa2\\xe6\\xb1\\xa9\\xe4\\xb9\\xa5\\xe6\\xb5\\xa1\\xe2\\xb5\\xa5\\xe4\\x94\\xbe\\xe5\\xf0\\xba\\xe6\\x95\\xb4\\xe7\\xc1\\xad\\xe6\\xb5\\x9c\\xe6\\xb9\\xaf\\xe6\\x90\\xae\\xe6\\xb1\\xac\\xe2\\xb0\\xa2\\xe4\\x88\\xa2\\xe7\\xcd\\xa1\\xe4\\x85\\xa5\\xe6\\x91\\xa4\\xe6\\x95\\xb2\\xe7\\xcd\\xb3\\xe3\\xf8\\xad\\xe7\\xe0\\xb0\\xe3\\xd4\\xb6\\xe6\\x8c\\xb6\\xe3\\xc0\\xb0\\xe3\\xc0\\xb0\\xe0\\xa8\\xa2\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe6\\x8d\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe6\\x8d\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xe1\\xa3\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe0\\xb8\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe6\\x8d\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xe5\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x91\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe6\\x8c\\xb9\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xe5\\xa2\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xd1\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xd0\\xb8\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe6\\x91\\xa3\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe6\\x8c\\xb9\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe6\\x91\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xd1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe6\\x91\\xa3\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x99\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd4\\xb9\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xdd\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xc5\\xa5\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xd5\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe0\\xb8\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x91\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe3\\xc5\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe0\\xb8\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe6\\x8d\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xd1\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe3\\xc9\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe0\\xb8\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xc9\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd5\\xa1\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x91\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xcd\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xe1\\xa3\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xd5\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xe5\\xa3\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xd5\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd4\\xb9\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe6\\x88\\xb8\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xd4\\xb9\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x91\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xe1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe6\\x90\\xb8\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xd1\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xcc\\xb8\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe6\\x91\\xa3\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa3\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xe1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe0\\xb8\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xc8\\xb9\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd5\\xa1\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x91\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xcd\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x99\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe6\\x91\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xc1\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xe1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xd1\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe6\\x8d\\xa3\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xd5\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd4\\xb9\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf1\\xa2\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xe5\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe6\\x8d\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf1\\xa5\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe6\\x99\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe6\\x91\\xa4\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xc5\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xc5\\xa6\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe6\\x90\\xb8\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xe5\\xa3\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe6\\x99\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xe4\\xb9\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa6\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x99\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xd1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd5\\xa1\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe6\\x95\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe6\\x91\\xa4\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa6\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x99\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xcd\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xd5\\xa4\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xc9\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xe5\\xa2\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x91\\xb8\\xe5\\xf0\\xb9\\xe7\\xe1\\x9c\\xe3\\xd1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xe5\\xa3\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xcd\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xe5\\xa2\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa6\\xe7\\xe1\\x9c\\xe3\\xd1\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe6\\x8c\\xb9\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe3\\xc5\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe6\\x8d\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd4\\xb9\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xd5\\xa5\\xe5\\xf1\\x9c\\xe6\\x99\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xc9\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xc4\\xb9\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xd9\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe6\\x90\\xb8\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa5\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xd5\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xd1\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xd4\\xb8\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xcd\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xe1\\xa6\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc9\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xd0\\xb8\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xcd\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb7\\xe7\\xe1\\x9c\\xe6\\x91\\xa3\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xcd\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xd1\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf1\\xa5\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb4\\xe7\\xe1\\x9c\\xe3\\xcd\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb1\\xe7\\xe1\\x9c\\xe3\\xc9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb8\\xe7\\xe1\\x9c\\xe3\\xcd\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb2\\xe7\\xe1\\x9c\\xe3\\xe0\\xb8\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa3\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe1\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe3\\xe0\\xb8\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb6\\xe7\\xe1\\x9c\\xe3\\xc4\\xb9\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa5\\xe7\\xe1\\x9c\\xe3\\xd9\\xa5\\xe5\\xf1\\x9c\\xe3\\xe5\\xb8\\xe5\\xf0\\xb5\\xe7\\xe1\\x9c\\xe6\\x8d\\xa1\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xe1\\xa6\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe5\\xf1\\xa4\\xe7\\xe1\\x9c\\xe3\\xdd\\xa5\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x8d\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xc1\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb3\\xe7\\xe1\\x9c\\xe3\\xc1\\xa3\\xe5\\xf1\\x9c\\xe6\\x89\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xcd\\xa5\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xdd\\xa2\\xe5\\xf1\\x9c\\xe6\\x95\\xb8\\xe5\\xf0\\xb0\\xe7\\xe1\\x9c\\xe3\\xe1\\xa1\\xe5\\xf1\\x9c\\xe6\\x85\\xb8\\xe2\\x88\\xb2\\xe2\\x88\\xac\\xe7\\xe5\\x94\\xe6\\x95\\xb0\\xe3\\xf8\\xad\\xe2\\x88\\xb0\\xe2\\x88\\xac\\xe6\\x85\\x84\\xe6\\x85\\xb4\\xe6\\x95\\x8c\\xe6\\x9d\\xae\\xe6\\xa1\\xb4\\xe3\\xf8\\xad\\xe2\\x88\\xb0\\n ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\oUkcYEoI.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\oUkcYEoI.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\IKooIAgw.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\mCQwYwEM.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\mCQwYwEM.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\IKooIAgw.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\veAsowAY.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\veAsowAY.bat" "C:\malware.exe""
Creates Process
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ceUQMMkw.bat
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\sOQwMQkk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\sOQwMQkk.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\ceUQMMkw.bat" "C:\malware.exe""
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\veAsowAY.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\hEoIggko.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\scwQAIAE.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DaMAYwMs.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\DaMAYwMs.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\scwQAIAE.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hyYgQUIk.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NKkkQIYw.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\NKkkQIYw.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\hyYgQUIk.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\ceUQMMkw.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ceUQMMkw.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\zuUosIMA.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hEoIggko.bat
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\JwAIcMYM.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\JwAIcMYM.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\hEoIggko.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\IKooIAgw.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vQkMcQcQ.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\SQMIwIgM.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\SQMIwIgM.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\vQkMcQcQ.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\uAkMssoE.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\vQkMcQcQ.bat" "C:\malware.exe""

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\bosYsgMg.bat
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\bosYsgMg.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\UAYAcEkM.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\pOkogEck.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\pOkogEck.bat
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\LCkAMcUw.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\LCkAMcUw.bat
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\pOkogEck.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\LGYUYMkI.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\oUkcYEoI.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\yUQwYQQI.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\yUQwYQQI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\oUkcYEoI.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\AsEUwgwQ.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UAYAcEkM.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\AsEUwgwQ.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\UAYAcEkM.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qskAwcAE.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\LGYUYMkI.bat
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\qskAwcAE.bat
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\LGYUYMkI.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\SsQIcMMA.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\YUIIkUsE.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\SsQIcMMA.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\YUIIkUsE.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\SsQIcMMA.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\jKUsYMkw.bat
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\TYEIsIYU.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\TYEIsIYU.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\jKUsYMkw.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\jcIgMwIM.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\iuggQkck.bat
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wagEAcIQ.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\wagEAcIQ.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\iuggQkck.bat" "C:\malware.exe""
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\bwAsQgwo.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\jcIgMwIM.bat
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\bwAsQgwo.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\jcIgMwIM.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\ab14c25d1deb2914b206caa2068f9910ababe83b
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\uAkMssoE.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rGYIQYko.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\rGYIQYko.bat
Creates Process"C:\ab14c25d1deb2914b206caa2068f9910ababe83b"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\uAkMssoE.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FilekQgS.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileugYU.ico
Creates FilekkQs.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\RCX5.tmp
Creates FileC:\RCX3.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.inf
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileIYge.exe
Creates FileC:\RCXF.tmp
Creates FileC:\RCX12.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileWswe.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileQMwc.exe
Creates FilecUke.exe
Creates FileC:\RCXD.tmp
Creates FileUoYG.ico
Creates FileUIwa.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileygQi.exe
Creates FilemkMQ.ico
Creates FileC:\RCX18.tmp
Creates FileIYQa.ico
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FilecQcM.exe
Creates FileC:\RCX6.tmp
Creates FileIAoo.ico
Creates FileC:\RCXE.tmp
Creates FileC:\RCXA.tmp
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileUYgI.ico
Creates FileOUMq.ico
Creates FilewAII.exe
Creates FileUkEu.exe
Creates FileC:\RCX13.tmp
Creates FilecwQy.exe
Creates FilekgAi.exe
Creates FileC:\RCX11.tmp
Creates FilewIoi.exe
Creates FileEMkS.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileC:\RCX19.tmp
Creates FileMUAi.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\RCX1C.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FileC:\RCX1A.tmp
Creates FileMQkY.ico
Creates FileYgEI.exe
Creates FileIoYE.exe
Creates FileAEEe.exe
Creates FileMEUc.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileEcgu.exe
Creates FilePIPE\wkssvc
Creates FileAQUg.exe
Creates FilecgwO.ico
Creates FileSsgc.ico
Creates FilesUQu.ico
Creates FileC:\RCX8.tmp
Creates FileoMoq.ico
Creates Filewsgs.exe
Creates FileQMoc.exe
Creates FilewEIa.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileMUwc.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileMggg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates Filekcww.ico
Creates FileEEQi.ico
Creates FileUkcI.exe
Creates FilekEEC.exe
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FilekcYo.exe
Creates FilecEEg.exe
Creates FileYYwk.exe
Creates FileC:\RCX16.tmp
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileEYUs.ico
Creates FileEkkG.ico
Creates FileC:\RCX17.tmp
Creates FileAYMC.ico
Creates FileC:\RCX4.tmp
Creates FileRgQm.ico
Creates FileMEAe.ico
Creates FilecAEM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileWgUc.exe
Creates FilesAYS.ico
Creates FileIEYm.ico
Creates FileQQUY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileugYU.ico
Deletes FilekkQs.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileIYge.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileWswe.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileQMwc.exe
Deletes FilecUke.exe
Deletes FileUoYG.ico
Deletes FileUIwa.ico
Deletes FileygQi.exe
Deletes FilemkMQ.ico
Deletes FileIYQa.ico
Deletes FilecQcM.exe
Deletes FileIAoo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileUYgI.ico
Deletes FileOUMq.ico
Deletes FilewAII.exe
Deletes FileUkEu.exe
Deletes FilecwQy.exe
Deletes FilekgAi.exe
Deletes FilewIoi.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileEMkS.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileMUAi.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileMQkY.ico
Deletes FileYgEI.exe
Deletes FileIoYE.exe
Deletes FileAEEe.exe
Deletes FileMEUc.exe
Deletes FileEcgu.exe
Deletes FileAQUg.exe
Deletes FilecgwO.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FilesUQu.ico
Deletes FileSsgc.ico
Deletes FileoMoq.ico
Deletes FileQMoc.exe
Deletes Filewsgs.exe
Deletes FilewEIa.exe
Deletes FileMUwc.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileMggg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileEEQi.ico
Deletes FileUkcI.exe
Deletes FilekEEC.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FilekcYo.exe
Deletes FilecEEg.exe
Deletes FileYYwk.exe
Deletes FileEkkG.ico
Deletes FileEYUs.ico
Deletes FileAYMC.ico
Deletes FileMEAe.ico
Deletes FileRgQm.ico
Deletes FilecAEM.ico
Deletes FileWgUc.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FilesAYS.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileIEYm.ico
Deletes FileQQUY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.inf
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\rmUkcwkU.bat" "C:\malware.exe""

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\hyYgQUIk.bat" "C:\malware.exe""

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\ab14c25d1deb2914b206caa2068f9910ababe83b"

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ C:\ab14c25d1deb2914b206caa2068f9910ababe83b

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Network Details:

DNSgoogle.com
Type: A
173.194.125.64
DNSgoogle.com
Type: A
173.194.125.65
DNSgoogle.com
Type: A
173.194.125.66
DNSgoogle.com
Type: A
173.194.125.67
DNSgoogle.com
Type: A
173.194.125.68
DNSgoogle.com
Type: A
173.194.125.69
DNSgoogle.com
Type: A
173.194.125.70
DNSgoogle.com
Type: A
173.194.125.71
DNSgoogle.com
Type: A
173.194.125.72
DNSgoogle.com
Type: A
173.194.125.73
DNSgoogle.com
Type: A
173.194.125.78
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1032 ➝ 173.194.125.64:80
Flows TCP192.168.1.1:1033 ➝ 173.194.125.64:80
Flows TCP192.168.1.1:1034 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1035 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1036 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1037 ➝ 190.186.45.170:9999
Flows TCP192.168.1.1:1038 ➝ 190.186.45.170:9999

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .


Strings
.
'&.
.=
.
.
)
.
R.

*^(@!!
\.^(@ 
0@e>-kBt
0$X{2$
17+`)x
!1`B|s
1HHb)|	
1m%w2h
2+^(@!&
26@d\B@
>2eILK
 2i*jwa
2k(t2k(
2k(t2k(t2k(
2k(t2k(t2k+t
2k(t2k(t2k(t2k(
2tvC<4
	@2{v~
3-(cb]
^=3sRo7
$4cb(v
4FR;bt
4(+*gd
4m_Fca
4o)v2h)w2
5$`j._
#5MkK]
+65_5M
6aEA {
{& ,^6:e
-6*^ @k
\6n`\B
	~6qv~
)6S/_bA
(6XSQ&
=*`#6Zr\B
7a^(@ 
7(B?B B?B B?B B?B 
7b!t<d
7d~(~*`
&7etBCQ^
&7gPJKq
7[^ @kI
7n-C	"
7n-q3k+
7n-q,M
7n-v>bg
7n-~$vg
7n-z9|g
7R^ @k
7W^(@ 
7wC[<	
7X^(@ 
7Y._ci
)+8biR
8|bNJH
8\P+|^4~
`8P'bg
9b.yv~
9I50;S
9j40;k
9u50;U
,]A.'[
a2-B yE
	A2wv~
ABiTTh
a#<#mq&
AR>c-?
b([*`#
)B4|^0
=*`)B4B
=*`)B4B)/
}?B>4B@DDd))
B88GcB
BBXW""
\bd>4B
>bdknKQ
;B FDA
Bl{DLr>
}BqInB
}BqM!B 
|BU%}6
^b:U%Y
Bv.qc)
	b.wv~
|Bz0XBR
=]c3)4
c)}4^(@ 
c5I%|3P
c6M~jStj?r$_
c?B B?r
cBR%Gb)
+c.*;bz
CCYV##
^cEA *
Cff|BO^lA\
|c%l/G
,CpQ>x
CsA_FcaI
|',csR
d2[%TB
D-7NCe
d<B> %
@D+|BU
d(c*`#
dIJjB,u
'dIU?3y
(dk9P^
	D.wv~
'd	Y63
#	#e3qv
;ecL1=
	E.qv~
*e`(W*`
FQY\0~
.g1n>4}
G[bj._
gCH;,,
Gc(n*`
	G.cv~
#?%g]f3
;ghB J
GkiD93
'=-Glf
	G.uv~
	G.}v~
h9$Da4?
%I50;U
i%D)yz
IjbVgq
|i	Ksu
= I)l z
i&.Nin
!i`N!l
*in^Ni
iSv{0V
iSv31V
iUv=%V
IYSD)93d
,.j(>/
,+`#j*
%$`j._
j6^NAl
j[a :(
\=*jbaq
jE6EBN
'~jvu_:r
j*w2+IL
j*w$+IL
+^ @k5)
k"$9h*
k"$CdZ
{  Kd\
^(@ K)N 
K~&P[z
\|(k&tNk
*^ @kU
?k+v2k)p2u
lf	G.yv~
l-gd)F
l-'Gz,*Rg
llS9G&{v~
LQ|biKls)b
)L%S*Z
Mc1Sd_
,Mg^(_%G^s
mOhm7%
m-$x -
)+Nb-R
;n]g?&
NheUoJgu
@*Nl/,
<no.m\3
n._%=}q
$n-q3k+
nVpBpo1
NW}6Ir
oc4iN{L
oc4nnS|
of1ui&
o\LCDw
o,Lj.u
OmK#n-
Pi+^(@!	
*-$pl-$
,pL7.B
(:pn<m0
-q50MhH
!$"	<QJ
r|< %=
r3i+w1k
_?R73|
Rich!4O
RQ8tRc
;r$r?r<U
RT@bX|a
^ @RY>
r?zp%Xyp
;r${zs
sdd)34
sHg]$[
S]r)jX$
t2k+t0
t2k(t2
t2k(t2k(
(t2k(w1
tc(v*`#
!This program cannot be run in DOS mode.
(T\pcb
(T\pyb
t$u1Eu
tuG8Dv
t,[*uq
(+T?	v
tV\%Z]
`t@#[yy
U^(@ :
uAi]v1hZ
^UgoJ|m
+uIOXC
Uj,aqB
U^ @ke(
U^(@ n
U%+pt&d
UZ~DW[U
VBN>Uc)2
VLxG}&
W^(@ "
W^(@!)
(w0k+w
(w0k+w2
w1$8(0$5 0$
w2h+w3k(
wGoSQ_
wGoSQ\
WNX$mO
*wqc$7oZ
*wqk#7
*wq#*w
*wq++wq>So
*wt~*wt
W^(@ y
x'1[w#
XAC\h~k.?
Xa)Q	)\
`x/ B[0
xupY\$
X!V	'.
=*`)y	
y1$Qy1
`(y*`#a
YAWVLx
Yi]sKhZ4
Yl< ~(
ym{*j2
~(Z*`#
'Z-)_%
%z{<c-
ZGa`Qg
=*Z~N6
Z(NF/<
z`O+`#
$Z^tid"
@@ZU