Analysis Date2016-01-27 21:56:28
MD5a4b62b3103486f5e2cc8339ee7447d59
SHA1d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3a8fd44bc6202da9288678e2e3c05253 sha1: 2815ffe318f0df1c3e6ca77c64eb9e0461fc7d71 size: 462336
Section.rdata md5: de97b0af8f050a5fdcdf458bd9816893 sha1: 57d7ab59b362a806fee47bd5c81ba035ceb2f6ce size: 512
Section.data md5: db86f5aaa4608880b4a4109d7188f2cd sha1: f80806caed660dc1b17879cf34cc7cbb2299cb8d size: 512
Section.rsrc md5: bb5a8d1597791d8e2fb9a9721c91ce52 sha1: 6ad945d644dd4b6cd87ac54c451dcca32a5e7a46 size: 4608
Timestamp2015-01-06 00:36:08
PEhash544bb4a4178bf7b86ee6ec22688bc7912f16f085
IMPhash3b8065cb327fa99e4146f04d2dad54d8
AVCA (E-Trust Ino)Win32/Nabucur.C
AVRisingTrojan.Win32.PolyRansom.a
AVMcafeeW32/VirRansom.b
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVTwisterW32.PolyRansom.b.brnk.mg
AVAd-AwareWin32.Virlock.Gen.1
AVAlwil (avast)MalOb-FE [Cryp]
AVEset (nod32)Win32/Virlock.D virus
AVGrisoft (avg)Generic_r.EKW
AVSymantecW32.Ransomlock.AO!inf4
AVFortinetNo Virus
AVBitDefenderWin32.Virlock.Gen.1
AVK7Trojan ( 0040f9f31 )
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVMalwareBytesTrojan.VirLock
AVAuthentiumW32/S-b256b4b7!Eldorado
AVEmsisoftWin32.Virlock.Gen.1
AVFrisk (f-prot)No Virus
AVIkarusVirus-Ransom.FileLocker
AVZillya!Virus.Virlock.Win32.1
AVKasperskyVirus.Win32.PolyRansom.b
AVTrend MicroPE_VIRLOCK.D
AVVirusBlokAda (vba32)Virus.VirLock
AVCAT (quickheal)Ransom.VirLock.A2
AVBullGuardWin32.Virlock.Gen.1
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVClamAVNo Virus
AVDr. WebWin32.VirLock.10
AVF-SecureWin32.Virlock.Gen.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\TaMAMEcc.bat
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\FecQQQQk.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\TaMAMEcc.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d"
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\FecQQQQk.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\uogsMUwg.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\pmMAkYoA.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\uogsMUwg.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\pmMAkYoA.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d"

Creates ProcessC:\d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qEQkogkc.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hywgIkMc.bat
Creates FileC:\d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\qEQkogkc.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\hywgIkMc.bat" "C:\malware.exe""
Creates Process"C:\d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 952 -e 76 -g

Process
↳ "C:\d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d"

Creates ProcessC:\d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF7F3F.tmp
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FilerkQy.exe
Creates FilepeMA.ico
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileRsQy.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
Creates FileC:\RCX5.tmp
Creates FileNUwk.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\RCX22.tmp
Creates FileC:\RCXF.tmp
Creates FileNsUE.exe
Creates FileC:\RCX12.tmp
Creates FileBksY.exe
Creates FileNYwg.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FileHUkA.exe
Creates FiletsUE.ico
Creates FileJMgW.exe
Creates FilehAkU.exe
Creates FileC:\RCXE.tmp
Creates FileFskQ.ico
Creates FileVYMg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileZOww.ico
Creates FileNMUc.ico
Creates FiledAME.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileFkgg.ico
Creates FileC:\RCX9.tmp
Creates FilevEEQ.exe
Creates FilePIPE\wkssvc
Creates FileDSIA.ico
Creates FilexKAM.ico
Creates FiletQIc.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FilepoUi.exe
Creates FileC:\RCX1D.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FilehgEW.exe
Creates FileC:\RCX1B.tmp
Creates FilePUgo.ico
Creates FileC:\RCX7.tmp
Creates FiletcEo.exe
Creates FileC:\RCX17.tmp
Creates FileREAA.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FileZwUk.exe
Creates Filexukc.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileZGMI.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FilepCoE.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FilexGkA.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileVsYe.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileNUUs.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileNscU.ico
Creates FilexeYI.ico
Creates FileC:\RCX3.tmp
Creates FiledIYQ.exe
Creates FileXQkQ.ico
Creates FileC:\RCX20.tmp
Creates FiletMcg.ico
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileNccM.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FilenYEQ.ico
Creates FileC:\RCXD.tmp
Creates FilehuMY.ico
Creates FileNkQs.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates FilelSgA.ico
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FileC:\RCXA.tmp
Creates FilePEAc.exe
Creates FileC:\RCX1F.tmp
Creates FilexyMg.ico
Creates FileZOQU.ico
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FiletMME.exe
Creates FileC:\RCX21.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates Filexowm.exe
Creates FilehcMC.exe
Creates FileC:\RCX19.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FiletIAa.exe
Creates FileC:\RCX1C.tmp
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileVYMo.ico
Creates FiletMkg.ico
Creates FilexgYK.exe
Creates FilelwAU.exe
Creates FileC:\RCX1A.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FilexYQC.exe
Creates FileC:\RCX8.tmp
Creates FileVsYA.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FilehIIm.exe
Creates FileXcgI.ico
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileNccI.exe
Creates FileJcsW.exe
Creates FileC:\RCX16.tmp
Creates FilehGoA.ico
Creates FileJKEc.ico
Creates FileC:\RCX4.tmp
Creates FileFUwU.ico
Creates FileNMgg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FilepQkq.exe
Creates FilexAQu.exe
Deletes FilepCoE.ico
Deletes FilexGkA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileVsYe.exe
Deletes FileNUUs.exe
Deletes FilerkQy.exe
Deletes FilepeMA.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileRsQy.exe
Deletes FileNscU.ico
Deletes FilexeYI.ico
Deletes FileNUwk.ico
Deletes FiledIYQ.exe
Deletes FileXQkQ.ico
Deletes FiletMcg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileNsUE.exe
Deletes FileBksY.exe
Deletes FileNccM.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FilenYEQ.ico
Deletes FilehuMY.ico
Deletes FileNkQs.exe
Deletes FileNYwg.exe
Deletes FilelSgA.ico
Deletes FileHUkA.exe
Deletes FiletsUE.ico
Deletes FileJMgW.exe
Deletes FilePEAc.exe
Deletes FilehAkU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileFskQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FilexyMg.ico
Deletes FileVYMg.exe
Deletes FileZOQU.ico
Deletes FiletMME.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FilehcMC.exe
Deletes Filexowm.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileNMUc.ico
Deletes FileZOww.ico
Deletes FiledAME.exe
Deletes FiletIAa.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileFkgg.ico
Deletes FileVYMo.ico
Deletes FiletMkg.ico
Deletes FilexgYK.exe
Deletes FilelwAU.exe
Deletes FilevEEQ.exe
Deletes FileDSIA.ico
Deletes FilexKAM.ico
Deletes FilexYQC.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileVsYA.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FiletQIc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FilehIIm.exe
Deletes FilepoUi.exe
Deletes FileXcgI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileNccI.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileJcsW.exe
Deletes FilehgEW.exe
Deletes FilePUgo.ico
Deletes FiletcEo.exe
Deletes FileREAA.ico
Deletes FilehGoA.ico
Deletes FileJKEc.ico
Deletes FileZwUk.exe
Deletes FileFUwU.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Deletes FileNMgg.ico
Deletes FilepQkq.exe
Deletes Filexukc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FilexAQu.exe
Deletes FileZGMI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\FecQQQQk.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\hywgIkMc.bat" "C:\malware.exe""

Process
↳ "C:\d6b6909e1b55805daf1c7c28b4ac6cd2eef1322d"

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 952 -e 76 -g

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 796

Process
↳ Pid 844

Process
↳ Pid 1012

Process
↳ Pid 1204

Process
↳ Pid 1292

Process
↳ Pid 1848

Process
↳ Pid 1080

Network Details:

DNSgoogle.com
Type: A
64.233.185.101
DNSgoogle.com
Type: A
64.233.185.102
DNSgoogle.com
Type: A
64.233.185.113
DNSgoogle.com
Type: A
64.233.185.138
DNSgoogle.com
Type: A
64.233.185.139
DNSgoogle.com
Type: A
64.233.185.100
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 64.233.185.101:80
Flows TCP192.168.1.1:1032 ➝ 64.233.185.101:80
Flows TCP192.168.1.1:1033 ➝ 64.233.185.101:80

Raw Pcap

Strings