Analysis Date2016-01-28 04:00:13
MD5e5f2f187cc3a129ab2bd87301f61fc69
SHA1d0d1a1728a839fc631414c86df4e875cdd2f3c90

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a11a79de32ad32d8042f1d6f015e788d sha1: c118b68695c515c11a0b00bc477c852ff79e9d08 size: 508416
Section.rdata md5: 11c459f93e634fad0a6b6056a51e3e4a sha1: de9b72212bd9103ba4dc2c285dc817d8a18fbc0e size: 512
Section.data md5: a4b3b8785ce488ca8a8c9320b25ac0bd sha1: 21377655ec1677cbd704cbf1d4512dec10f1f506 size: 512
Section.rsrc md5: c7e441c65de2b2c9eb41c33176192352 sha1: 903691bc68fd7dbb053f58e263a695fb7538c182 size: 4608
Timestamp2015-01-06 00:36:08
PEhashbd65858d91e01651f622af991ac1b02153cdf2ed
IMPhash41e566939b5866339e079709b1903619
AVCA (E-Trust Ino)Win32/Nabucur.C
AVRisingTrojan.Win32.PolyRansom.a
AVMcafeeW32/VirRansom.b
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVTwisterW32.PolyRansom.b.brnk.mg
AVAd-AwareWin32.Virlock.Gen.1
AVAlwil (avast)MalOb-FE [Cryp]
AVEset (nod32)Win32/Virlock.D virus
AVGrisoft (avg)Generic_r.EKW
AVSymantecW32.Ransomlock.AO!inf4
AVFortinetNo Virus
AVBitDefenderWin32.Virlock.Gen.1
AVK7Trojan ( 0040f9f31 )
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVMalwareBytesTrojan.VirLock
AVAuthentiumW32/S-b256b4b7!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusVirus-Ransom.FileLocker
AVEmsisoftWin32.Virlock.Gen.1
AVZillya!Virus.Virlock.Win32.1
AVKasperskyVirus.Win32.PolyRansom.b
AVTrend MicroPE_VIRLOCK.D
AVCAT (quickheal)Ransom.VirLock.A2
AVVirusBlokAda (vba32)Virus.VirLock
AVBullGuardWin32.Virlock.Gen.1
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVClamAVNo Virus
AVDr. WebWin32.VirLock.10
AVF-SecureWin32.Virlock.Gen.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe,
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\eqkskcYs.bat
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\d0d1a1728a839fc631414c86df4e875cdd2f3c90
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HwkoMQAI.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\HwkoMQAI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\d0d1a1728a839fc631414c86df4e875cdd2f3c90"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\eqkskcYs.bat" "C:\malware.exe""
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\d0d1a1728a839fc631414c86df4e875cdd2f3c90

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\VckUEgkE.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\d0d1a1728a839fc631414c86df4e875cdd2f3c90
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\OIQgQgEw.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\OIQgQgEw.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\VckUEgkE.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\d0d1a1728a839fc631414c86df4e875cdd2f3c90"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\VckUEgkE.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\VckUEgkE.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\d0d1a1728a839fc631414c86df4e875cdd2f3c90"

Creates ProcessC:\d0d1a1728a839fc631414c86df4e875cdd2f3c90

Process
↳ C:\d0d1a1728a839fc631414c86df4e875cdd2f3c90

Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\d0d1a1728a839fc631414c86df4e875cdd2f3c90
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tyIIoYQw.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\tyIIoYQw.bat
Creates Process"C:\d0d1a1728a839fc631414c86df4e875cdd2f3c90"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\d0d1a1728a839fc631414c86df4e875cdd2f3c90"

Creates ProcessC:\d0d1a1728a839fc631414c86df4e875cdd2f3c90

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\d0d1a1728a839fc631414c86df4e875cdd2f3c90"

Creates ProcessC:\d0d1a1728a839fc631414c86df4e875cdd2f3c90

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileqIAw.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileEMUC.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileC:\RCX2.tmp
Creates FileGSMc.ico
Creates FileSwAI.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
Creates FileC:\RCX5.tmp
Creates FileMQcS.exe
Creates FilekuUI.ico
Creates FilecEEY.ico
Creates FilewYUw.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\RCXF.tmp
Creates Filekgku.exe
Creates FileWwMQ.ico
Creates FilemUMC.exe
Creates FileC:\RCX12.tmp
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FilePIPE\lsarpc
Creates FileYgcE.exe
Creates FileEEEO.exe
Creates FileC:\RCXE.tmp
Creates FileMIAu.exe
Creates FileIUQM.ico
Creates FilemogS.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileAgkA.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FileokQG.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
Creates FileGewc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FilekMIi.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileUKgA.ico
Creates FileC:\RCX1D.tmp
Creates FilecqkA.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileEmcU.ico
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileC:\RCX17.tmp
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FilekQgK.exe
Creates FileqsQg.ico
Creates FileQkQk.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileQIoY.ico
Creates FilecAQi.exe
Creates FileKIQo.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileQkEA.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileCcMM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FilecKMw.ico
Creates FilecCsw.ico
Creates FileC:\RCX3.tmp
Creates FilegUEE.ico
Creates FileQIcM.ico
Creates FileosQE.ico
Creates FileC:\RCX20.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileYMEo.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FilemAkC.exe
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileAEcU.ico
Creates FileUaEI.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileycUs.exe
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates FilegoUc.exe
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\RCX21.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\RCX19.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FilesQUq.exe
Creates FileScsW.exe
Creates FilekmkY.ico
Creates FileC:\RCX1C.tmp
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FilekEUi.exe
Creates FileIMQE.ico
Creates FileC:\RCX1A.tmp
Creates FileEowm.exe
Creates FilesAQq.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FilewIwI.ico
Creates FileAwIQ.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileYsgM.ico
Creates FileIsEs.ico
Creates FileC:\RCX8.tmp
Creates Fileskwa.exe
Creates FileQwAk.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileqUoo.exe
Creates FilegYUU.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates Fileoocg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileygIg.ico
Creates FilesUUa.exe
Creates FileC:\RCX16.tmp
Creates FileoMEQ.ico
Creates FileIoQY.exe
Creates FileC:\RCX4.tmp
Creates FilesGoc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileEiIA.ico
Creates FilegUow.exe
Creates FilesAYS.exe
Deletes FileKIQo.exe
Deletes FileqIAw.exe
Deletes FileEMUC.exe
Deletes FileQkEA.exe
Deletes FileCcMM.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileGSMc.ico
Deletes FileSwAI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FilecKMw.ico
Deletes FileMQcS.exe
Deletes FilecCsw.ico
Deletes FilekuUI.ico
Deletes FilegUEE.ico
Deletes FileosQE.ico
Deletes FileQIcM.ico
Deletes FilecEEY.ico
Deletes FilewYUw.exe
Deletes FileYMEo.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes Filekgku.exe
Deletes FileWwMQ.ico
Deletes FilemUMC.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FilemAkC.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileAEcU.ico
Deletes FileUaEI.ico
Deletes FileycUs.exe
Deletes FileYgcE.exe
Deletes FileEEEO.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FilegoUc.exe
Deletes FileMIAu.exe
Deletes FileIUQM.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FilemogS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileAgkA.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileScsW.exe
Deletes FilesQUq.exe
Deletes FilekmkY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileokQG.exe
Deletes FilekEUi.exe
Deletes FileIMQE.ico
Deletes FilesAQq.exe
Deletes FileEowm.exe
Deletes FileAwIQ.exe
Deletes FilewIwI.ico
Deletes FileYsgM.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileIsEs.ico
Deletes Fileskwa.exe
Deletes FileqUoo.exe
Deletes FileQwAk.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileGewc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FilegYUU.ico
Deletes Fileoocg.ico
Deletes FilekMIi.exe
Deletes FileUKgA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FilecqkA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileygIg.ico
Deletes FileEmcU.ico
Deletes FilesUUa.exe
Deletes FileoMEQ.ico
Deletes FileIoQY.exe
Deletes FilesGoc.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Deletes FilekQgK.exe
Deletes FileqsQg.ico
Deletes FileEiIA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileQkQk.ico
Deletes FileQIoY.ico
Deletes FilegUow.exe
Deletes FilecAQi.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Deletes FilesAYS.exe
Creates Mutex\\xc3\\xb00@
Creates Mutex\\xc3\\xb80@
Creates Mutex\\x081@
Creates MutexnwYEEQIw0
Creates Mutex\\xc3\\xa80@
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex\\xc3\\xb00@
Creates Mutex\\xc3\\xb80@
Creates Mutex\\x081@
Creates MutexnwYEEQIw0
Creates Mutex\\xc3\\xa80@
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\eqkskcYs.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ C:\d0d1a1728a839fc631414c86df4e875cdd2f3c90

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1208

Process
↳ Pid 1300

Process
↳ Pid 1848

Process
↳ Pid 1104

Network Details:

DNSgoogle.com
Type: A
216.58.219.142
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1032 ➝ 216.58.219.142:80

Raw Pcap

Strings