Analysis Date2015-11-25 07:30:19
MD52986186e1d4259cd379473bf0950c7eb
SHA1db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f450a39e87251e400cac0be5c24a59b6 sha1: 0297b9e247edd92412d775565a279c8d388c9f01 size: 443904
Section.rdata md5: b2e6785a74264d7feace407bcfe48b1d sha1: 2d8acda501b1b372911f242a85856b3341398dea size: 512
Section.data md5: a9eae96e77f4a06184dc8303086d6b3c sha1: 3b91ec09f09242d17c34e6fc0b822da8ba5ac896 size: 512
Section.rsrc md5: 703a9bbaf15a828f39819647e4cbe2d0 sha1: d5962e9cb151d5643f58c284691a315aed4f7253 size: 4608
Timestamp2015-01-06 00:36:08
PEhash67c596383d9522885f0c23972fa10a742ccf1dbc
IMPhash26426e7f1acb305af516ff5cb03d53a9
AVMcafeeW32/VirRansom.b
AVMcafeeW32/VirRansom.b
AVCA (E-Trust Ino)Win32/Nabucur.C
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVCA (E-Trust Ino)Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVPadvishno_virus
AVPadvishno_virus
AVCAT (quickheal)Ransom.VirLock.A2
AVRisingTrojan.Win32.PolyRansom.a
AVRisingTrojan.Win32.PolyRansom.a
AVCAT (quickheal)Ransom.VirLock.A2
AVSophosW32/VirRnsm-C
AVAd-AwareWin32.Virlock.Gen.1
AVSymantecW32.Ransomlock.AO!inf4
AVSymantecW32.Ransomlock.AO!inf4
AVClamAVno_virus
AVTrend MicroPE_VIRLOCK.D
AVTrend MicroPE_VIRLOCK.D
AVClamAVno_virus
AVTwisterW32.PolyRansom.b.brnk.mg
AVTwisterW32.PolyRansom.b.brnk.mg
AVAuthentiumW32/S-b256b4b7!Eldorado
AVVirusBlokAda (vba32)Virus.VirLock
AVVirusBlokAda (vba32)Virus.VirLock
AVDr. WebWin32.VirLock.10
AVZillya!Virus.Virlock.Win32.1
AVZillya!Virus.Virlock.Win32.1
AVDr. WebWin32.VirLock.10
AVAuthentiumW32/S-b256b4b7!Eldorado
AVEmsisoftWin32.Virlock.Gen.1
AVEmsisoftWin32.Virlock.Gen.1
AVAlwil (avast)MalOb-FE [Cryp]
AVEset (nod32)Win32/Virlock.D virus
AVEset (nod32)Win32/Virlock.D virus
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVFortinetW32/Zegost.ATDB!tr
AVFortinetW32/Zegost.ATDB!tr
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVFrisk (f-prot)no_virus
AVFrisk (f-prot)no_virus
AVAlwil (avast)MalOb-FE [Cryp]
AVF-SecureWin32.Virlock.Gen.1
AVF-SecureWin32.Virlock.Gen.1
AVBitDefenderWin32.Virlock.Gen.1
AVGrisoft (avg)Generic_r.EKW

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dqQUMUQo.bat
Creates FileC:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\noYkYsQo.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\dqQUMUQo.bat
Creates Process"C:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\noYkYsQo.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\noYkYsQo.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\noYkYsQo.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\IKUEsEMQ.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\IKUEsEMQ.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0

Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\44ef_appcompat.txt
Creates FileC:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\AaYIMAUU.bat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aMIkIEYw.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\AaYIMAUU.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0"
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 1780
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0"

Creates ProcessC:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\wIokAooQ.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0"

Creates ProcessC:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0

Process
↳ C:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0

Creates FileC:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HsEMIIMI.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\IKUEsEMQ.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\HsEMIIMI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\IKUEsEMQ.bat" "C:\malware.exe""
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0"

Creates ProcessC:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates Fileaoki.exe
Creates FileC:\RCX2.tmp
Creates FileKIQU.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates Fileewgs.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
Creates FileC:\RCX5.tmp
Creates FileaaAQ.ico
Creates FileKsgC.exe
Creates FileeIMK.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileaAsU.ico
Creates FileuIcA.ico
Creates FileqYMu.exe
Creates FileC:\RCXF.tmp
Creates FileCwsy.exe
Creates FileC:\RCX12.tmp
Creates FileaUMY.ico
Creates FileGqso.ico
Creates FileKEEQ.ico
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FileC:\RCXE.tmp
Creates FileicMQ.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileCsAw.ico
Creates FileasIS.exe
Creates FileOsAu.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF5A5C.tmp
Creates Filegska.exe
Creates FilePIPE\wkssvc
Creates Fileukcq.exe
Creates FileuQso.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileimQQ.ico
Creates FileeIAw.exe
Creates FileEUUQ.exe
Creates FileC:\RCX1D.tmp
Creates FileUIUM.exe
Creates FilemgUw.exe
Creates FileOKMo.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileqYIe.exe
Creates FileeIwo.exe
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileuEkO.exe
Creates FileC:\RCX17.tmp
Creates FileCAQs.ico
Creates FilewWAk.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FileOWIY.ico
Creates FileaMUS.exe
Creates Fileoqgg.ico
Creates FileOWIA.ico
Creates FileIyAg.ico
Creates FileWQcE.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileuQoM.ico
Creates FileqwUg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FilewyUo.ico
Creates FileSOog.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileCkks.ico
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileOAUY.ico
Creates FileyEwg.exe
Creates FileC:\RCX3.tmp
Creates FileC:\RCX20.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileKwws.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileOIQm.exe
Creates FilekUso.ico
Creates FileisAQ.exe
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates FileWIQa.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1.tmp
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates FileioIU.ico
Creates FileeoMI.ico
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileC:\RCX21.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\RCX19.tmp
Creates FilekmoE.ico
Creates FileaOgk.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\RCX1C.tmp
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileEuYg.ico
Creates FileC:\RCX1A.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileOgsq.exe
Creates FileCwcU.ico
Creates FileuwsA.ico
Creates FileywMm.exe
Creates FileC:\RCX8.tmp
Creates FilesEAu.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FilemMAw.exe
Creates FileMqIs.ico
Creates FileOcYI.exe
Creates FileC:\RCX16.tmp
Creates FileQEEq.exe
Creates FileC:\RCX4.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileeIYy.exe
Creates FileaIIQ.ico
Creates FileaQow.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FilewyUo.ico
Deletes FileSOog.ico
Deletes Fileaoki.exe
Deletes FileCkks.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Deletes FileKIQU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileOAUY.ico
Deletes Fileewgs.ico
Deletes FileyEwg.exe
Deletes FileaaAQ.ico
Deletes FileKsgC.exe
Deletes FileeIMK.exe
Deletes FileaAsU.ico
Deletes FileuIcA.ico
Deletes FileqYMu.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileCwsy.exe
Deletes FileKwws.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FileaUMY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileGqso.ico
Deletes FileKEEQ.ico
Deletes FileOIQm.exe
Deletes FilekUso.ico
Deletes FileisAQ.exe
Deletes FileWIQa.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileioIU.ico
Deletes FileeoMI.ico
Deletes FileicMQ.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FilekmoE.ico
Deletes FileaOgk.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileCsAw.ico
Deletes FileasIS.exe
Deletes FileOsAu.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileEuYg.ico
Deletes Filegska.exe
Deletes FileOgsq.exe
Deletes FileuwsA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileCwcU.ico
Deletes FileywMm.exe
Deletes Fileukcq.exe
Deletes FilesEAu.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileuQso.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileimQQ.ico
Deletes FileeIAw.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileEUUQ.exe
Deletes FileUIUM.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FilemgUw.exe
Deletes FileOKMo.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileMqIs.ico
Deletes FilemMAw.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileqYIe.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileeIwo.exe
Deletes FileOcYI.exe
Deletes FileuEkO.exe
Deletes FileQEEq.exe
Deletes FilewWAk.ico
Deletes FileCAQs.ico
Deletes FileOWIY.ico
Deletes FileaMUS.exe
Deletes FileOWIA.ico
Deletes Fileoqgg.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Deletes FileIyAg.ico
Deletes FileeIYy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileWQcE.exe
Deletes FileaIIQ.ico
Deletes FileuQoM.ico
Deletes FileaQow.ico
Deletes FileqwUg.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1872

Process
↳ Pid 1152

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 1780

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\db21b04b10e6cc66bbf7a0b0ae75d844d20d82d0

Network Details:

DNSgoogle.com
Type: A
216.58.219.174
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.219.174:80
Flows TCP192.168.1.1:1032 ➝ 216.58.219.174:80

Raw Pcap

Strings