Analysis Date2015-05-11 00:33:56
MD5021ebfb7485074ecf69ab826130c9325
SHA1cd081ef226979196acbc69f93b81c558e185da92

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 27277b3b26cc3bac332ab38ee3bab35e sha1: eb67e399e4745292e5a3dcf8a623f8d47fa594d1 size: 466944
Section.rdata md5: 46fa7f594604f724e4cc71409107ea59 sha1: ccc0da92a9d8de00d0dd4489bee83cfa4fdb3cc6 size: 512
Section.data md5: ec43636d498359484230f18a74612dc3 sha1: 6f7cda5d935c9bbeddc808fc0c34e4ec1b61853f size: 512
Section.rsrc md5: 2c2699f8c0295232ea81c37564325bc7 sha1: d2964d209356fe8f3d2c4663dd16533a795fc3fb size: 4608
Timestamp2015-01-06 00:36:08
PEhash5d3d5ffbf0307e612f1b6ce8d7e10d929accdc9b
IMPhash0022a57813f3d03a681d3d35f3b0d46b
AVAd-AwareWin32.Virlock.Gen.1
AVAlwil (avast)MalOb-FE [Cryp]
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVAuthentiumW32/S-7d685898!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBitDefenderWin32.Virlock.Gen.1
AVBullGuardWin32.Virlock.Gen.1
AVCA (E-Trust Ino)Win32/Nabucur.C
AVCAT (quickheal)Ransom.VirLock.A2
AVClamAVno_virus
AVDr. WebWin32.VirLock.10
AVEmsisoftWin32.Virlock.Gen.1
AVEset (nod32)Win32/Virlock.G virus
AVFortinetW32/Zegost.ATDB!tr
AVFrisk (f-prot)no_virus
AVF-SecureWin32.Virlock.Gen.1
AVGrisoft (avg)Generic_r.EKW
AVIkarusTrojan-PWS.Win32.QQPass
AVK7Trojan ( 0040f9f31 )
AVKasperskyVirus.Win32.PolyRansom.b
AVMalwareBytesTrojan.VirLock
AVMcafeeW32/VirRansom.b
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVPadvishno_virus
AVRisingno_virus
AVSophosW32/VirRnsm-C
AVSymantecno_virus
AVTrend MicroPE_VIRLOCK.D
AVTwisterW32.PolyRansom.b.brnk.mg
AVVirusBlokAda (vba32)Virus.VirLock

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\OoAUoAkg.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NMYEQgwc.bat
Creates FileC:\cd081ef226979196acbc69f93b81c558e185da92
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\NMYEQgwc.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\cd081ef226979196acbc69f93b81c558e185da92"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\OoAUoAkg.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ "C:\cd081ef226979196acbc69f93b81c558e185da92"

Creates ProcessC:\cd081ef226979196acbc69f93b81c558e185da92

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\wwMQUYIw.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\cd081ef226979196acbc69f93b81c558e185da92

Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\GgoQsIIw.bat
Creates FileC:\cd081ef226979196acbc69f93b81c558e185da92
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wwMQUYIw.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\GgoQsIIw.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\wwMQUYIw.bat" "C:\malware.exe""
Creates Process"C:\cd081ef226979196acbc69f93b81c558e185da92"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\cd081ef226979196acbc69f93b81c558e185da92"

Creates ProcessC:\cd081ef226979196acbc69f93b81c558e185da92

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\cd081ef226979196acbc69f93b81c558e185da92"

Creates ProcessC:\cd081ef226979196acbc69f93b81c558e185da92

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\OoAUoAkg.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\OoAUoAkg.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\tuIQEgoo.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\cd081ef226979196acbc69f93b81c558e185da92

Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WmcUEMMY.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tuIQEgoo.bat
Creates FilePIPE\lsarpc
Creates FileC:\cd081ef226979196acbc69f93b81c558e185da92
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\WmcUEMMY.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\tuIQEgoo.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\cd081ef226979196acbc69f93b81c558e185da92"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\cd081ef226979196acbc69f93b81c558e185da92

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\kQQIMQYM.bat
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\cd081ef226979196acbc69f93b81c558e185da92
Creates Process"C:\cd081ef226979196acbc69f93b81c558e185da92"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileNosQ.ico
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FilenwIk.ico
Creates FiletQck.exe
Creates FileC:\RCX2.tmp
Creates FileRMAK.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FiletgIU.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
Creates FileC:\RCX5.tmp
Creates FiletQoY.ico
Creates FilepUEi.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\RCXF.tmp
Creates FilepKYg.ico
Creates FileC:\RCX12.tmp
Creates Filepugw.ico
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilehcAs.exe
Creates FileC:\RCX18.tmp
Creates FilelIUQ.ico
Creates FileC:\RCXE.tmp
Creates FileRoIa.exe
Creates FileFWgg.ico
Creates FilefoUc.exe
Creates FiledAQk.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileHYEw.exe
Creates FileZOww.ico
Creates FileVgYE.exe
Creates FileJIAq.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FileTUMi.exe
Creates FileNoMc.ico
Creates FileWmQo.ico
Creates FileBSQU.ico
Creates FilexYMO.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
Creates FileNcEw.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileC:\RCX1D.tmp
Creates FilepeYY.ico
Creates Filelsww.exe
Creates FileVswk.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FilerAgy.exe
Creates FiledMAc.ico
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FiletMgI.exe
Creates FileC:\RCX17.tmp
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FilexUce.exe
Creates FiletQIQ.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileNUQE.ico
Creates FilexMsq.exe
Creates FileFAcY.exe
Creates FileC:\RCX3.tmp
Creates FileC:\RCX20.tmp
Creates FilexmEw.ico
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FilelEcs.ico
Creates FilelIkI.ico
Creates FilepeEs.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileJOMo.ico
Creates FilexGEQ.ico
Creates FileC:\RCXD.tmp
Creates FilexCIE.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1.tmp
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FileC:\RCXA.tmp
Creates FilelMIc.exe
Creates FileC:\RCX1F.tmp
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\RCX21.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileBeEY.ico
Creates FileC:\RCX19.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FilepMgQ.exe
Creates FileC:\RCX1C.tmp
Creates FilehQES.exe
Creates Filetocs.ico
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\RCX1A.tmp
Creates FileVckw.ico
Creates FilebQYe.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileloQA.exe
Creates FilelUko.exe
Creates FileRUcm.exe
Creates FileC:\RCX8.tmp
Creates FileVAgs.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FiletIsu.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FilehcYC.exe
Creates FileJYcK.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileBsEa.exe
Creates FileluAQ.ico
Creates FilelAIQ.exe
Creates FilehqMA.ico
Creates FileC:\RCX16.tmp
Creates FileZcAC.exe
Creates FileBEkc.exe
Creates FileC:\RCX4.tmp
Creates FileZKgo.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileJoIQ.exe
Creates FileZiMg.ico
Deletes FileNosQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FilenwIk.ico
Deletes FiletQck.exe
Deletes FileNUQE.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileRMAK.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FilexMsq.exe
Deletes FiletgIU.ico
Deletes FileFAcY.exe
Deletes FiletQoY.ico
Deletes FilepUEi.exe
Deletes FilexmEw.ico
Deletes FilelEcs.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FilelIkI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FilepeEs.ico
Deletes FilepKYg.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FileJOMo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FilexGEQ.ico
Deletes Filepugw.ico
Deletes FilexCIE.ico
Deletes FilehcAs.exe
Deletes FilelIUQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileRoIa.exe
Deletes FileFWgg.ico
Deletes FilelMIc.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FilefoUc.exe
Deletes FiledAQk.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileBeEY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileHYEw.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileZOww.ico
Deletes FilepMgQ.exe
Deletes FileVgYE.exe
Deletes FileJIAq.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FilehQES.exe
Deletes Filetocs.ico
Deletes FileTUMi.exe
Deletes FileNoMc.ico
Deletes FileVckw.ico
Deletes FilebQYe.exe
Deletes FileloQA.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileWmQo.ico
Deletes FilelUko.exe
Deletes FileRUcm.exe
Deletes FileBSQU.ico
Deletes FileVAgs.ico
Deletes FilexYMO.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileNcEw.ico
Deletes FiletIsu.exe
Deletes FilehcYC.exe
Deletes FileJYcK.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FilepeYY.ico
Deletes Filelsww.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileBsEa.exe
Deletes FileVswk.ico
Deletes FilerAgy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileluAQ.ico
Deletes FiledMAc.ico
Deletes FilelAIQ.exe
Deletes FilehqMA.ico
Deletes FiletMgI.exe
Deletes FileZcAC.exe
Deletes FileBEkc.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Deletes FileZKgo.ico
Deletes FilexUce.exe
Deletes FiletQIQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileJoIQ.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileZiMg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ Pid 1312

Process
↳ Pid 1864

Process
↳ Pid 1164

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ "C:\cd081ef226979196acbc69f93b81c558e185da92"

Network Details:

DNSgoogle.com
Type: A
216.58.219.110
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.219.110:80
Flows TCP192.168.1.1:1032 ➝ 216.58.219.110:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....


Strings
...
Q
.
..
KK...
.$
j
.
$..
.B.v}pP..G
k..e Q..{.
....M8..
.
..
Z
.
VD
w
..(.2*
Zr
t

[)['+@
+*].^'
04GN#~m
0bj9T'
0H~q')!
:0H<$Q
0"t8#NG
0}/v6?
0xq(n7
0Y />	
<0Zkq~
0ZsDY.X
<1 [<+
#]\,1{
(14%}%
1*48848
17{1*ed
1[d'5{
1[d'5{%
1[d'5{3
1[&dq;
1`dqmO
1%]*hx
}&1i6MF
1_n%3SB#q9h
~1U} i
1WR-3K
1,*xJ<
2{AG;K
2aRYCt
,2c	FT
2\]]?CJ
 ;2) g$
2H]	-(
&~2h.d
*|2h*j.
2 kN,8
2{\ O|
2^&|YU
3?&*1 
3[b	3Sf
3BPr.U
3[d##[
3[d'3[d
3]d;3Z
3[D%q9
3-D^U0
3[e5)[d
3[F!3[
3j)M}Q
3KD#23d
};{3m	
3Q?+m4	V
3QTxe+k
#3Qz!PV
3S&#9}
3SkWQs
3SoeY}L'
3s"v;j
3[t	5Q
3]TO)@
3Wt	5S
3YD%q9
3YeJQfy/|AF
3yF/5Yf
3y #q}
40h&v2
42QcYA
 44{C 
4fG3[d
4G3YBK3YH
4.h(d>
&~4h v
4iVM <
4vzy9t\2B=
4/X(_a]
4ysG)E
51gsqA!
`53^C+
53NJz[
58a+wsj_q
58Ig{o
5[B#qS
	~5D,dN
5DE5[T
5kHr]+aDD
5Qn	?Qd
5S@%3W
5SB#q9
5UI);C
5_>XXt:
5Y6y1-
5]Ys GzKGK`]
60@X/b
62 HW!
_ }66:{
'6A5Nf
6C#Yncv
6#ExJt
6JlS3O
6.\ne-
6[Xmb9
[6Ygc.
75?&YtH 
7ba(]vp'
7[B#s{F/
7e,}7&`
7{f'3[$
7{f'3[d
7{f'3[YN
7i@'2KdG1
7}jBD}
_7M^8L
7]&#Q}L
7Ql	1]e
7S|'sA
(7-Vf(d
7,xHrz#@(Ug6>5
7Y0y1[
&7Y}Hqi
}7ynV9
"_8})/
[81 M*
8	6@u|t3q
8~8G'o
-8a~^fJJ
8#AP!4
8D ^5\
]/8Kt&
8oQ+kPu
8sYn.P
9[2LRwmL>
<~94=~
'[9'=)7
9cL`:y
9.:"cM
9]d	3[b
{;9gq?
9%H'%P/
%-9"iC
9l'L'b
9M&%eR
9O|	?Kr
9Q~/)ML/
9[@/=yD!
9yLEQ}
a>' {*)
a0' a2	 M2+
a0' a>	 OR
a*1 m*
A2Hs[:
'a3)AkA4
A66q)3
a*	 A2% )2
A$e$iBLs
a]K5dPb
AlXE!I
a@-\q&@.
aq6tT3
Ar%/MF'
A"rP<8RB
 a*	 S
 a*	 U
a>w<Oj
a"' Y$/
a>' )z
#bA'yS
_BeHuI
b:h.v.
<	B<j]w
BK#rF^
B\MbCr
BUD2SP
b\v1*;Y
B%z]$	<<
C*% !$'
C6E[-L
C>+ a*
caTbPW
c>	 {d)
CeMd!~fx
CK"^HuD
CkW+oi
Cq{+me
"CQ{nc
@Cre:V?z5
crn7#T01#
@C`/u<
CW=F,u
Cy2MD8
/d/2[d
d2]mu2\
d6O5D3
;_d	9[d
@.data
DdeEnableCallback
{DEqJR
DfAn[(
dG	&qr
Di`C06#
DJ<EJ%
dJ'O!u
/"DkNqs
\d/(o$}
%d{O<b
DSi*(^
;DtV C
+D'TVT
&[Dx.#
(d=Yct_
 E>' {")
E0	 /j
E@3DZ[
~e3[$z
e4o=,c
E'A%1L
$E#BUr<a+
Ec8Zr+K
Ed)XZe
EEd!1[
: EEf6
 EE: UEf*Oq
Ee}vG3
`E=?Ew
}@efzP
	EH^0PH
EIb*v"
E!JLAc
eMN:Yi
emp:RQN
e{+O_	
e{+Oi5
=))e	p
,ePff&
eQ4p8H
EX!d[mW
"f0h f
*f0h v
F0Y5lKj
[F%1]e
*F'1LD
&F2h(r0
-\F%3_f
]F%3_f
\F%3_f
F(3H*Y
*f6h*~&
FbH]r'Kw
{fc)b{'.
"Fdvq-
f&h(\0
F:h.j0
@%f	i}
FiDhQ(
;f"JSZ,\<
\fJzn'M
fkhBGL
FpFwSJQ#
f?U/; 
${f?#X
fXzL\8
>' {") g
^#)#G?
@g2;mO
@@g3[d
G6y<2]5
g8(c%g
G9Os6lJ
>g*-<A
gB4C_2?
G#cP-C
GetCapture
GetCurrentThread
GetDialogBaseUnits
)GF')GD
g'fW>:
g?|%~H5
gmF[F,
%Gn2X*
gn.t	O\
>g"-<O
"G<p6{
G:P=nq
Gr]6QgL
gslml'
=guj#y$=Rw@
|$?Gw]
gZ2?(c
gzK["R
	*?)H	
H'*`26
"H2aAU
>]H4-}J
`H6bk2
*h6h(v<
h`\7CN
h9_PJ'* 
hB/`^i
`]h)/C
?h&e0a
~*h"f>
HfDaz"
hF~q+I\
	%h'	g
H#?hLs
H>HP%6
h>h(T6
"~.h(r*
hr0!;z
{h?TMc
h~tsC#
H*v !BHw
H*v GBH!
+)hwTS
H|({}XK
hxOxC#
H-Xx>~
[hxz)_
HYD{3*
Hyyx0{
-_=+i]
*	 i<'
["	 i<1
,i.*$2N'
i3Hu,<
]=i4A0
I68XG.
i<$7SxV
{I7$XF
"$<I8&
i8P+F0
I^-ar%"
I!c4 =
id=]"e
i{+Eq	
I,f	[-
i{+gq	
@iHB/h^
IK3B|&
i	+MS=
ioa;5t
IsDebuggerPresent
!)iT?{
i#Th%^
i*	<Uf+z
IxLFgx
I`_yLk
IYXsKw
j^ ;\^
J0#bK7*'FF*	
 J&;{3/
J4OK9[u
J/%|_6
jA,R9-
<J>c/qKQ0
jEDOhZ
J@FDb{vIt
&j.h.~8
j:h.j0
jhPu]fJ
(j>h*v
jje]CU
JjH+e-?
&jjhL0
<J:K4:*
,J+:p4
J+|Pxe
%*j~Q<
J%Q^rv
JS+0~1^
Js(MOx 
"JU.:t
>!JXEA&
K0	<!2	 E
K1duJ/
K2J3mA
K4Vh9T
K4({vm
K6L5Vbn
K6@!\m^k
)k"&9f+
k#9pND
_k ":B
<KCkI`
KcS2W`
?Kd	1[d
kdV=4r=
kernel32.dll
<K#GH`[
<K[`H`
k\J|SJQ
~kJy?7
K<	 K"
k@K`/u<
k$MHoN
[kN*g]
k|OHDb
<KS I`K
KsL_Nx
[@K`/u<
@K`/u<
KW+C}=
L16m^j~
.l2h(r
l4G>N>	[
?L}?aA
L(AV#s
lbo:b~
]lE'iU>
Lg3ur8 
l*h(^>
l	i0I@
{l@Irw
LJ#z"YdD
l#m+jjC@"s
L(qkE_
l:&Tc(
l:uMk;
lyhd :
<LYN-q
m2Md4oB
M~5`;U
m\`6D^
M"	 A*
}/m..C
md+R[d
MG-^w~
M*#jA7S=
m^j~i^
MJ,ptl
M(K%7r
M&N:Yi
MQ%9P.
M]=Q&hi
<MrDs^
mslUqX
M'^t]o
M"	 U<+
m~{UY'
}mVKt=
MvPmG:lM
Mwd/wg
mX9,l:
M.@xJ3
MYf5vi
M<Yh]}
*}N\[%
n22+`Z
n4h`~&
n63ao63ao63ao63ao63ao*3ao
n66.Fwk
n/C3};
ncR=z\
@nEIN"j
ngq1`D!
NGSs"+q
nI0DoSJ8
Ni*f?b
NjxWO)yVL/zU
NLO#>,
nmH{V,
Nouo}1
 N p9T
'(@nr].
%~nrM$
-nV4fAp
nWsGS@
nX*l6\
NxlVZy
 ;") O>
[>	 O<
o"1<O<
(o2p9'e
O&@3@t	*
<O_)6x
>O8DxNE
o9>pWG
OcTA\s
oFtQ2X
Oh:D/.
oK_O	M
ol9DG5
OM@Xt(Z
[on'dN|
o|OHbc
:O[pT2
O_rU$+
\ot N$t
ovK15n$H
o!=XiA
()oYwQ
*P0h f0
&P0h(v<
P2h(h0
p3c"@G
$p8f`Y
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
PBtq\	
p}%EF3
$*[p(Ej
P(h(^&
	PLzGn
p=m_5=
p|\~nS"37-
P|N:Yi
p[o3GK	
p;O.7<
_pR)ae
p{<SlJ
PTokKT
!]}pv({
P>[%wJ	b
PX}&ZB{
Q2% g$
q2.|yJ6Z`
q3+oi=
q3+U}=
Q81 M*
Q8+ M&
Q>- a<
QbJZh|^
 !Q{$c
$q/.e5
,~q=f#
qf."xJ3
q;+G]=
-q{+Ga=
q;+GI=
q:GI42Fp
_q'+Gq=
/q{+Gs=
q{+Gu=
qJ-+ET7
qj.^yJ7
&''qKq&1]d
q(.LxJ;
qM5uzW
}Q^M{L'
Qp<y\T
Q.>QV"D
;Qt	=W|
~#QUa4
qvM9m 
qW+G_=
qW+Gs=
-qwKJa
=q)wlm
qW+mq3
-qW+oc=
qW+oq=
;"~{qY
Q"% Y$/
qYSAg&}
"*)&%_r]
R2h*j2
|/R2;sF
 R4h ~&
R9,<_F9
R9-R^E5
[rB;Vlb
`.rdata
RDQp?abW
REYEHAF
rhf9mp
Rich!l
R_ K-A
rKW~Qq
rn6kMcrvh
R!@PA[n$
rqJF`%H
\	r;Yi
,_~:\s
S!5Khxa
+sbf-F%
S;,BYF3
#Sd	3[f
:sG'49
s_$G7J
s_$G7J`
:SJ8NxN
:SJdNx
:SJDOx
:S*jOx
SK6&fk
SKg	i;
#s/l+$
slw.?)
SQ)x217lI$%(;
:Sr2OxN
sR'4GU
S%R'_`VfO
s.r;YicAqH
SSeX,nq
s&wr;awS
SY8DWH;
=/#t 0
|;T4_	[&$
T	d<k?
T|E;"Z
T]G1z:
tg>-<O<
tg"-<Q
!This program cannot be run in DOS mode.
T>JeE,He
TMH0VQ
t/n>NX 
;t,qoz?)#+
Ts7u)!Rd
tsn4nv6
Tx89h=
U*1 '2%
u1z+1<
u22QXf
U2% g$
+U4Bl|
u4%dF&
U9-@]?5
U\cQu]#
|\>ufY
Ug>$3;
~Uh@28E
UIFXy=
u@K`/u<
U@K`/u<
&u)lW|
/[uO&G49E
user32.dll
'*U%ykn'
uzY5!KR>
:]v,_>
|`$"@%V
\(?/V#
v0h.~0
v!",6/
V7C_"Q
V8&%fB
v=cxy 
v=cxyi
v'F"6_
[vfFZf~
.=vGD}a
v=gxPpU
v&h,Z:
VMb2Xv
vmEs`|
{V)!o-
{v)Sj$
vV47L	W
v*(Z<<
W1C7W]
W2% g$
^<-w2T
?W'2v[
W$&.6N
w#?7B-
W*	:A*%:
W|:Ajx,
;WB)7s"
W}bC?"
+W/B	wH"
W$dwaO
we}(weM(
;Wf	?Wd
&W,GaUs)
W<% K>
W&&K7G
W"%<O<
W"%<O*
W>' O0
w{{%OiW
(woN\	
#Wp+-3L9
w}.<QW
wRKsx5Ox
WRnr7y_w
wS>l	X
Wt1:Q{!
W-/v3;
>_W_>ZZ3
X6ScYE
x#AI|(
x?Aq~B
]xb	FJ
xbl+8-&
Xb({raT
#Xc;'^k
xe2Lt6tLM
xH0vtt
xH4T hF
.xH6b+
xH6Iq>
xH>8^ 
XH>`BG.v
xHcAaH
xHcAqH~
xH&<Hm
xHIL1.7:
xH.JsN.Lx`LMx^.
xH#?XH
x&h(Z&
xJ74TVE
x#Jhk+
XJpd[-`
xJ;T5"
+XK]te
*|X*l6
X!=LDI
XLk[	;
XM]jp7z&$(A
x<On?I
*X#^RL@R
{xr/{Vv
XsR&=O
-X:u-`:
Xu{Tw6.
x(wQs (Y
x[Wsn2 rS<j
&x-xJjGE
]@Y&3m)
Y\A*6D
{_yA}7>
<$yCd~
yC+LRwm
\yIDGg}
;Yi.Hsn
y\)-Iy;4
yj1VbFe
yJs4oDx
 Y*% M$	
Y]MY'DQ!
>YNJ}\
}'ynV<
Y"+ O*'
Y*% S.%
;!YtY[:5
	yuL2o
YXykX[u
)@YZyD 
Z`%1[h
Z`%1[l
Z`%1[n
Z2NS]F
Z`%3_`
Z`'3_d
Z`'3_h
Z`%3_l
Z`%3Y`
Z`%3Yf
Z`'3Yj
>Z4o_$
:z#)5x
z\5)yO
~Z6:pQ
ZAkgy} czy
Zb%1[b
Zb'3_f
Zb'3_l
Zb%3Yb
Zb%3Yh
Zb%3Yj
Zb%3Yl
Zb%3Yn
Zb'3Yp
Zd'1Y`
Zd'1Yb
Zd'1Yf
ZD6e((
Zf%1[`
Zf%1[d
Zf'1[l
Zf%1Y`
Zf'1Yd
Zf'1Yf
Zf'3_f
Zf'3_l
Zf%3_l
Zf'3_n
Zg iqe
zg%n;L
,Z>h.P:
&z$h*v
ZK(+wnj
Zl'3Yj
_&-'Zm/
<Zp:1B
z+qXBI
,ZslT/X
zzOMIE