Analysis Date2015-01-14 11:57:50
MD5f72863ea3ac01421ef058cc1d03b38c5
SHA1b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash6398bd4b83c74a009cc997cbb74e9c8574683904
IMPhash
AV360 Safeno_virus
AVAd-AwareTrojan.Obfus.3.Gen
AVAlwil (avast)VirLock-A:Win32:VirLock-A
AVArcabit (arcavir)Trojan.Obfus.3.Gen
AVAuthentiumW32/S-7136ec3b!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardTrojan.Obfus.3.Gen
AVCA (E-Trust Ino)Win32/Nabucur.A
AVCAT (quickheal)Ransom.VirLock.A2
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Obfus.3.Gen
AVEset (nod32)Win32/Virlock.G virus
AVFortinetW32/Agent.NCA
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Obfus.3.Gen
AVGrisoft (avg)Win32/Cryptor
AVIkarusVirus-Ransom.FileLocker
AVK7Virus ( 0040f99f1 )
AVKasperskyPacked.Win32.Katusha.o
AVMalwareBytesTrojan.VirLock
AVMcafeeTrojan-FFGO!F72863EA3AC0
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.gen!A
AVMicroWorld (escan)Trojan.Obfus.3.Gen
AVRisingno_virus
AVSophosW32/VirRnsm-A
AVSymantecW32.Ransomlock.AO!inf
AVTrend MicroPE_FINALDO.F
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\XuQkEIkU.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aOAYosIM.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\aOAYosIM.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\XuQkEIkU.bat" "C:\malware.exe""
Creates ProcessC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates ProcessC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ZgMwYwYw.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rmwIQAQs.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ZgMwYwYw.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\rmwIQAQs.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\lEkEooYs.bat" "C:\malware.exe""

Creates Process

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\FwIAMgcw.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PIQMUAAk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\FwIAMgcw.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\PIQMUAAk.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Creates Process

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\malware.exe

Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\LoMkMkgI.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\roIUogwc.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\LoMkMkgI.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\roIUogwc.bat" "C:\malware.exe""
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\lEkEooYs.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xeIIMEAI.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\xeIIMEAI.bat
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\lEkEooYs.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates Process

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\EYMwgQgQ.bat
Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\CUYkoUIU.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\CUYkoUIU.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\EYMwgQgQ.bat" "C:\malware.exe""
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\QGksEgEQ.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\rmwIQAQs.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\malware.exe

Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rAIsAsYI.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\giwEUEgk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\rAIsAsYI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\giwEUEgk.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RwkgYEIU.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aaAMEUUY.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\aaAMEUUY.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\RwkgYEIU.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\gWQkYMMk.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\gUIMkwco.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\gUIMkwco.bat
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\gWQkYMMk.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\TewoAIIA.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\PIQMUAAk.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\PIQMUAAk.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\OOQAgcgg.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WiQoYgQY.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\OOQAgcgg.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\WiQoYgQY.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\yUAgIUoE.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\gWQkYMMk.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\gWQkYMMk.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\TewoAIIA.bat
Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\XMUIQMoQ.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\XMUIQMoQ.bat
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\TewoAIIA.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hoQQwssM.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\QGksEgEQ.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\hoQQwssM.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\QGksEgEQ.bat" "C:\malware.exe""
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fSsMMUsc.bat
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\jAAoUwAY.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\fSsMMUsc.bat
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\jAAoUwAY.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\RwkgYEIU.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\QOkAQsMg.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\QOkAQsMg.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\JUUMkkAk.bat
Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MMAMIQgU.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\MMAMIQgU.bat
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\JUUMkkAk.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qukAUMEA.bat
Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wagYwgcU.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\wagYwgcU.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\qukAUMEA.bat" "C:\malware.exe""
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nKAAoAAI.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\yUAgIUoE.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\YeYIUgIs.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\YeYIUgIs.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\yUAgIUoE.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\XuQkEIkU.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\QOkAQsMg.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\AqQIckMk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\AqQIckMk.bat
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\QOkAQsMg.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\roIUogwc.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\roIUogwc.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\malware.exe

Creates FileC:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UEsAgwsI.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RYkMYEAI.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\UEsAgwsI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\RYkMYEAI.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileC:\RCX2.tmp
Creates FileUMcy.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FilecAoi.ico
Creates FilekgUU.ico
Creates FileaEwA.exe
Creates FilesEEC.ico
Creates FileC:\RCX5.tmp
Creates FileQMQM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.inf
Creates FileMoMe.ico
Creates FileskcG.ico
Creates FileC:\RCXF.tmp
Creates FileQIwK.ico
Creates FileC:\RCX12.tmp
Creates FileEgEy.exe
Creates FileEIsM.ico
Creates FileC:\RCX18.tmp
Creates FileiIsQ.ico
Creates FileC:\RCXE.tmp
Creates FileuwgA.ico
Creates FileUQge.exe
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileEMEw.exe
Creates FileAgwu.exe
Creates FileYEkq.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FileWooO.exe
Creates FilecoIg.ico
Creates FilekAAm.ico
Creates FilePIPE\wkssvc
Creates FilemYEe.ico
Creates FilegQkA.exe
Creates FileUosO.ico
Creates FileYAsI.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FilesEsO.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FilesAci.exe
Creates FileC:\RCX1D.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileQAMg.ico
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileWAsu.exe
Creates FileC:\RCX17.tmp
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FilekAgI.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileQYEU.exe
Creates FilegssU.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileMwQy.ico
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileqwEU.ico
Creates FileC:\RCX3.tmp
Creates FileqMkE.exe
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileYEMs.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileYoMM.exe
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FilePIQW.exe
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FileIYIy.ico
Creates FileQsQI.ico
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates FileAkAO.exe
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\RCX19.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileZoYM.exe
Creates FileC:\RCX1C.tmp
Creates FilegkEW.exe
Creates FileuoMS.exe
Creates FileC:\RCX1A.tmp
Creates FileOQgy.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileoEQi.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileQkce.ico
Creates FileAYYK.ico
Creates FileC:\RCX8.tmp
Creates FileAEYc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileUosC.ico
Creates FileQkgg.exe
Creates FileAUEU.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileMocu.exe
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileWYsY.exe
Creates FileQIEo.ico
Creates FileC:\RCX16.tmp
Creates FileIUke.exe
Creates FileSIEQ.ico
Creates FileAUkc.ico
Creates FilegEcY.ico
Creates FileC:\RCX4.tmp
Creates FilecEMM.exe
Creates Fileiwoy.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FilegoEe.exe
Creates FileQwEA.ico
Creates FileQAAy.ico
Creates FileGwAC.exe
Deletes FilegssU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileUMcy.exe
Deletes FileMwQy.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FilecAoi.ico
Deletes FilekgUU.ico
Deletes FilesEEC.ico
Deletes FileaEwA.exe
Deletes FileqwEU.ico
Deletes FileqMkE.exe
Deletes FileYEMs.ico
Deletes FileQMQM.ico
Deletes FileMoMe.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileskcG.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileQIwK.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileYoMM.exe
Deletes FileEgEy.exe
Deletes FileEIsM.ico
Deletes FilePIQW.exe
Deletes FileiIsQ.ico
Deletes FileIYIy.ico
Deletes FileQsQI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileuwgA.ico
Deletes FileUQge.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileAkAO.exe
Deletes FileEMEw.exe
Deletes FileAgwu.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileYEkq.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileZoYM.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileuoMS.exe
Deletes FilegkEW.exe
Deletes FileWooO.exe
Deletes FilecoIg.ico
Deletes FileoEQi.exe
Deletes FilekAAm.ico
Deletes FileQkce.ico
Deletes FilemYEe.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileAYYK.ico
Deletes FilegQkA.exe
Deletes FileAEYc.ico
Deletes FileUosO.ico
Deletes FileQkgg.exe
Deletes FileUosC.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileYAsI.exe
Deletes FileAUEU.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FilesEsO.exe
Deletes FilesAci.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileMocu.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileWYsY.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileQIEo.ico
Deletes FileQAMg.ico
Deletes FileIUke.exe
Deletes FileSIEQ.ico
Deletes FileWAsu.exe
Deletes FileAUkc.ico
Deletes FilegEcY.ico
Deletes FilekAgI.exe
Deletes FilecEMM.exe
Deletes Fileiwoy.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FilegoEe.exe
Deletes FileQAAy.ico
Deletes FileQYEU.exe
Deletes FileGwAC.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.inf
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ C:\WINDOWS\system32\cscript.exe

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ Pid 1900

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\EYMwgQgQ.bat" "C:\malware.exe""

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\giwEUEgk.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\WiQoYgQY.bat" "C:\malware.exe""

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\jAAoUwAY.bat" "C:\malware.exe""

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\JUUMkkAk.bat" "C:\malware.exe""

Process
↳ "C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81"

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\qukAUMEA.bat" "C:\malware.exe""

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ C:\b7b8f467dc65fdb1ac489f256b0d1e18232c7f81

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\RYkMYEAI.bat" "C:\malware.exe""

Network Details:

DNSgoogle.com
Type: A
173.194.125.70
DNSgoogle.com
Type: A
173.194.125.71
DNSgoogle.com
Type: A
173.194.125.72
DNSgoogle.com
Type: A
173.194.125.73
DNSgoogle.com
Type: A
173.194.125.78
DNSgoogle.com
Type: A
173.194.125.64
DNSgoogle.com
Type: A
173.194.125.65
DNSgoogle.com
Type: A
173.194.125.66
DNSgoogle.com
Type: A
173.194.125.67
DNSgoogle.com
Type: A
173.194.125.68
DNSgoogle.com
Type: A
173.194.125.69
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1032 ➝ 173.194.125.70:80
Flows TCP192.168.1.1:1033 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1034 ➝ 173.194.125.70:80
Flows TCP192.168.1.1:1035 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1036 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1037 ➝ 190.186.45.170:9999
Flows TCP192.168.1.1:1038 ➝ 190.186.45.170:9999

Raw Pcap
0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....


Strings
-
.T.
]
.

)05];v
.0bz,0&
 +0]UYW_
(|0=X]5OXp
}]17C*
\]17G2
]]1_I0
~]1kZP
&1sM#>
\]1_W%
2i*3|c
2i*3lc
2i*3xc
2i*7_b
2i*CBa
2i*/hc
2U*/Dc
-2wH@`H
#?2.zo
,2Zo7'
3dsaSt/e;
3q	O1Yh
3+UJq?
4|<\]5#]
 4i:68
@	5	{|]1
]53YZ!
@{]5'EZ
]]5Kj3
[^]5oL(
}]5OT7
_5|'s,
+__]5SC
5\UYWkXk
5v/qg]
64IRCR
.+6,6$
6}dC?}3
7\Na;^
[{7YkJnt[_
8nH#0#
8{ZC=w
@!)9dx
9T,'.T{2;
9YKN]MZ
[AB^+m
!ah7'ahk
a^KN]MZ
APKN]MZ
`ar+D"F
AXKN]MZ
A"-y]53M*
\'BbG*S
bbw(bc
BEOa[[NMMZB
bf9^nk\
B-*G0C
`BH,NW
\BHw]\
Bk2x^j
BSoxBS
bWO^L`_Eag[_b7OZL`_E
bWO^L`WE
bWO^L`WEeM
bWOZL`_EQf[_b7OZL`_E
bWOZL`WEeM
[Bz=peU\
	C7\Bv
CbGW<m
Ck6xVj
CKcWEc
C[sZcAZ
CTsSKX
cWO:L`_E
D/0c}_
D3t	PY
[Da[[X
dBSoqT
" DBZ+	
<dd\UYW_U
D\	D'Z
D+[/E{[?E#Z?D7Z
dF5%}$
dF5U}+
 dFIRYi
Dg7|03
Dg[kE'[+E?[
DIZfDH
}dK?}d
	+Dkmcp/}
d?,p{?0:
DWQ2|Y
~E0*eE0
e	1I\$
ebZs{#
'}eC?te+>
Ec[zDsJ
EFuOeAXHa[
EFuOeAXKa[_
EFuOeAXMa[
EFuOeEXHa[
EFuOeEXKa[/J
EFuOeEXMa[
EFuOmAXb
EFuOmAXc
EHvfDH
_Ek!_E
e^KN]MZ
@EOe[[N
\EoM@E+^CE
e&PDH*R
ES=?c]Q
ES.`F3J
@ESnDE
\F2s{w
F,a"Ca5#
FEo!FE
FEOi[[N
`.;`Fj
FL`WGY
F]OYia[K
F]OYMa[K
fU*3xo
FUOeg[,c[O
=FUOeg[Pt[O
f_UPKN
fUsoG<
,F$*zYNJa[[
,F$*zYNNa[[
?}g`/	
#|_	g|
G0fMJ;b
+|G?5}
 GC|}hZ
	.gDJn
GE+2_E
_gNEMY
GOe[[NM
GScZO\
%G;Z[g
HBSG{@
\H\DFxX
He8=hT
hfW+Bg
H{_GbZ
HH c?Z
(H]]+iQ
Hi]+-Q
HiU'YW
..hudU
hwX\N=
H&#y3^
{i(~1We
:i*3|_
#i5y{Ho{X
ID$ar\
i\KN]MZ
I^KN]MZ
ip[^5+
?i{p/a
i[pwLRQ
iR\*-[
IR{;pNm
[I`sYn
i^t|]5
Iwi32I
j2x^j2x^j2x^j
[Ja[;X
j[_b7OZL`_E
)Jbfebn
j[Fa[[Z
JGX2|YNFa[[Rv
Ji]+=R
j[Ja[[{UM
Jk8[Naw]j|Y
j(Ke^>
JL8zD^
J]OYJa[7X
J]OYLa[
jrJ[_W
jRR	j!
=JThGRR
J{\ZNaw]j|Y
K0~Vw,ng
{#k&2~
K3|eWd
[Ka[sX
[Ka[[X
K'_BJ:
+\KCZ'i
*kE6oa%
k="/ju
&k.:{k/
k]Na;Z
^KN]MZ
_KN]MZ
!]KN]MZ
]KN]MZ
\KN]MZ
KqY+9WM72
]/	K|w	c$
kXNBNa[?Na[[Na[[Na[[Na[[Na[[Na[[
?(L`[C
?|L`[COMm
L`_CZ?_gNMm[ScZOHZ__NM
}&LDH*R
L`[GSyL
LIA]+qQ
LkaWxs|
LmOmO[WcZ
lOhKWj
lQ<y$]I
}'LsM+
L`WCNa
-l^Z?\?
LZ3\k|
m{]5OI
M@7xak
[Ma[{X
m[_b7OZL`_E
/M#d7	
MFL`WEeM-[ScZO@
mh/,nh
Mk/:kc/
MP:>wgk
\MsNa[[\
;_Na7^S
]Na7Z[
+\Na7Z
]Na7ZS
[^Nag]
@Nag[Pb[O
[]NagQ
{\NagY
Na[[Na[[Na[[Na[[Ja[[Na[[
Na[[Na[[Na[[Na[[Na[[Na[[
Na[[Na[[Na[[Na[[Na[[Na[[Na[
Na[[Na[[Na[[Na[[Na[[Na[[Na[cNa[[Na[[Na[[Na[[Na[[Na[[
Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na
Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Na[[Ne
Na[[Na[[Na[[Na[[Na[[Na[[:yRF
/Na[[NYQ
Na[OBsH[Svi
[Naw]j|Y
[NawQj|Y
[NawUZ|Y
nFI.eDH
NgNMMZb
n~j2x^x!
.Nj?nlAX
N]OYJa[[
N]OYLa[;
N]OYLa[KX
N]OYMa[
N]OYMa[s
N]OYSa[
nQDB^+A
NZT!HN
O3|eWd
o&Bz3fU@
OeI[>b[
OeI[^e[
OeI[.e[
OeI["e[
OeI[fd[
OeI[Ff[
OeI[nb[
OeI[Nd[
OeI[nf[
OeI[Nk[
OeI[Vd[
OeI[ve[
oFI*q@B
Og	gZsZ
|OGYARGG
Oh[Wj|
OjL`WE
OmI[f]M
OmI[>_M
OmI[N]M
OMmSScZOH
O/%#nR
ORL`_E
OScZO\
OUMS'gZ
OUMS#gZ
OUMSYcZ
OY3\{}
]OYia[
~]OYIa[
]OYLa[
OZL`_E
OZL`WE
(pe$+tg<
PKEIS_
Pk~fMGh
}PKN]MZ
PKN]MZ
pkR|Tk
Pk{rUGh
PNa[E2
P[_NagSdd[Obw
PNa[I2
PNa[U2
)}#prR
	;pwUgl/e
[Q#D7	
qHCWFHUk~
!QJ/h?
_q}m'NaW]
q&*m>Sd
@QNa_A
QNa[M2
 QNa[Q2
`QNaWI
q_NawY
_q}-SNa
qUKN]MZ
QYKN]MZ
Rbu)eGA
?Rem!}
?Rem%}
,rfi'&
Rich!4O
`RNa[]2
RNaW5*zY
RNaWQ*zY
Ry]1CZU
ScZ'Na[[mc[
ScZ'Na[W
[ScZO\
_ScZOD
[ScZOD
[ScZODj\_NM
ScZOHBX_NM
sDE/6FE
s	gTwe
s	gTwe'	
SKN]MZ
SK#QS@
{SLHdEL
sMS\w}
s^Nag]
s]NagY
s]Na;R
s/OJV.
SScZO\
S<sEE4
SUcZ?ru
*Sv?8L`KCNa
SxQXM.%
SZNJ>h\
T7	#dk
]#T7}W
tA*3|_
!This program cannot be run in DOS mode.
TJwUj|Y
TkEopo
tKhH1L]
TKN]MZ
TkR8UK
:T?ng.C
T"]_NM
TN.{S 
~!Tr2w{
TsaOL/
TsMOL/
TTYWG(
T_	WDsQ
Tw=#d{UW
TwIo\/
Tw	o\/
TzvUj|Y
U5Q,Z}
UcZ?Na[S
[UcZ?ru
|U<E8e
uESZSG
uFuOeQXAa[
uFuOeQXBa[
uFuOeQXEa[
uFuOeQXFa[
uFuOeQXIa[
uFuOeQXIa[S
uFuOeQXJa[
uFuOeQXJa[;
u_H/M'`
>u{;H+s8
U_I`oYRa\
@UOag[
@UOag[@c[O
@UOag[Du[Ozw
@UOmg[
@UOmg[\b[O
@UOmg[("[Ozw
$[UYWK
\;[UYWS
\UYWWE
/^v<3U
V7,HS{R
va[T7M
V<E1g]
V<E1gy
ve<(ve
v}gl/e
VJ:^B\
v_j%mL^
"VroNe`
vYZ|YnJg
*w}*3x_
w5*3x_
WC2(wk
WF#J5A
w	gd?e
w#GNN2
WKd<UZ
WKN]MZ
w+KVf"
w]Nag]
W.o6	`
W_sR3A
/wVR%@
 WY*zY
 W%*zY
X)1K3!SXl
[X9tbv
xdod*Y
xKn2x^F
-XKN]MZ
)XKN]MZ
XKN]MZ
XL`[C[Lm
XL`_CNaGX2|YNJa[[
XL`[Cs}L
XL`_CZ
?XL`_CZgXgN
?XL`_CZw^gNUM['gZ
?XL`KCZCXgN
XL`kCZKXgN
X[N]OYMa[K
]xOKHY
xuFuOe]XEa[
xuFuOe]XFa[
xuFuOe]XHa[
xuFuOe]XHa[w
xuFuOe]XIa[G
xuFuOe]XJa[7
xuFuOe]XJa[c
XUPSJHn
y0Koob
?Y]5{B
Y]5cko
Y]5+Hn
{y]5wS
Y9FAOewYZ|YnBg
Y {GNaWY
YKN]MZ
Y[K[S[
YNa[[IiZ
YNaw]j|Y
YNawUj|Y
YNaw]Z|Y
Y_NMm[ScZ
Y[N]OYJa[+X
;yrj2x^
YSNaWYI
@Y'UJLM
Y+}W;*E
[z2s{w
?Z]5CB
Z]5_Db"
ZCE?wMEO
z)%"C!}L
`ZD.XL
Z/gZ'[
ZL`_Eed[G
'ZL`[G
ZL`_GNa
'ZL`SG
ZL`WE1L
Zqp>L.
	)ZVYW
>(Z>Xz{<
Z|YnBg
Z|YnBg@Z
Z|YnBg$Z
Z|YnJg