Analysis Date2015-01-14 13:34:23
MD5bd671a8751fc32419f2567a0d9dbf7e8
SHA1ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash145e623aa299dbbff35de58bda2996f24f96eb73
IMPhash
AV360 Safeno_virus
AVAd-AwareTrojan.Obfus.3.Gen
AVAlwil (avast)VirLock-A:Win32:VirLock-A
AVArcabit (arcavir)Trojan.Obfus.3.Gen
AVAuthentiumW32/S-7136ec3b!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardTrojan.Obfus.3.Gen
AVCA (E-Trust Ino)Win32/Nabucur.A
AVCAT (quickheal)Ransom.VirLock.A2
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Obfus.3.Gen
AVEset (nod32)Win32/Virlock.G virus
AVFortinetW32/Agent.NCA
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Obfus.3.Gen
AVGrisoft (avg)Win32/Cryptor
AVIkarusVirus-Ransom.FileLocker
AVK7Virus ( 0040f99f1 )
AVKasperskyVirus.Win32.PolyRansom.a
AVMalwareBytesTrojan.VirLock
AVMcafeeTrojan-FFGO!BD671A8751FC
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.gen!A
AVMicroWorld (escan)Trojan.Obfus.3.Gen
AVRisingno_virus
AVSophosW32/VirRnsm-A
AVSymantecW32.Ransomlock.AO!inf
AVTrend MicroPE_FINALDO.F
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\OIgcgIsE.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\EaYcIIcg.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\EaYcIIcg.bat
Creates ProcessC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\OIgcgIsE.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates ProcessC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"

Creates ProcessC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\KwIwAQYk.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\KwIwAQYk.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MwIocUUE.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HsYskosc.bat
Creates FileC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\MwIocUUE.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\HsYskosc.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\nYoMwQkA.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nYoMwQkA.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\EgEQwYgk.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nYoMwQkA.bat
Creates FileC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\EgEQwYgk.bat
Creates Process"C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\nYoMwQkA.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"

Creates ProcessC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cEEgUMAg.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\gWcowYko.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\gWcowYko.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\cEEgUMAg.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"

Creates ProcessC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\VksIsEAU.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\FOMgAwIw.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ZmUMUMok.bat
Creates FileC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\FOMgAwIw.bat
Creates Process"C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\ZmUMUMok.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates ProcessC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"

Creates ProcessC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\CcEwcckI.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\KwIwAQYk.bat
Creates FileC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\CcEwcckI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\KwIwAQYk.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"

Creates ProcessC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\PkcoccMo.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\PkcoccMo.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\OIgcgIsE.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\VksIsEAU.bat
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ZOwsAIEw.bat
Creates FileC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ZOwsAIEw.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\VksIsEAU.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\HsYskosc.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"

Creates ProcessC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\ZmUMUMok.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ZmUMUMok.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"

Creates ProcessC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"

Creates ProcessC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ "C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"

Creates ProcessC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PMwocIAM.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ZaUMQoII.bat
Creates FileC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\PMwocIAM.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\ZaUMQoII.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\FuwYUEMw.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DokwAgUM.bat
Creates FileC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\DokwAgUM.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\FuwYUEMw.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"

Creates ProcessC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\FuwYUEMw.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\FuwYUEMw.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\ZaUMQoII.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PkcoccMo.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\KGEYAUcE.bat
Creates FileC:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\KGEYAUcE.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\PkcoccMo.bat" "C:\malware.exe""
Creates Process"C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\cEEgUMAg.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileRIIQ.exe
Creates FilelEEG.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileFUAY.exe
Creates FileRYIo.ico
Creates FileXQsK.ico
Creates FilePIPE\wkssvc
Creates FileNMAe.ico
Creates Filebcka.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileBcwG.exe
Creates FileRoYq.ico
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.inf
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates Filerscm.exe
Creates Filexcce.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileC:\RCXF.tmp
Creates FileC:\RCX12.tmp
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileFgwu.exe
Creates FileBUcY.exe
Creates FileC:\RCX16.tmp
Creates FileJsMm.exe
Creates File\Device\Afd\Endpoint
Creates FilenUYg.exe
Creates FileC:\RCXE.tmp
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FilexosA.ico
Creates FilepUIS.ico
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileXYQS.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FilePIsE.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Deletes FileRIIQ.exe
Deletes FilelEEG.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileFgwu.exe
Deletes FileFUAY.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileRYIo.ico
Deletes FileBUcY.exe
Deletes FileJsMm.exe
Deletes FileNMAe.ico
Deletes Filebcka.exe
Deletes FilenUYg.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileBcwG.exe
Deletes FileRoYq.ico
Deletes FilexosA.ico
Deletes FilepUIS.ico
Deletes Filerscm.exe
Deletes FileXYQS.ico
Deletes Filexcce.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FilePIsE.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\RCX9.tmp
Creates FilelAsi.exe
Creates FileFMUk.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FilePIPE\wkssvc
Creates FileFIIc.ico
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\RCX8.tmp
Creates FileC:\RCX5.tmp
Creates FilebYkI.ico
Creates FileRAoi.exe
Creates FileC:\RCX3.tmp
Creates FileREEg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.inf
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FiletYUa.ico
Creates FileZkEc.exe
Creates FileVcYc.exe
Creates FilehMgY.exe
Creates FileBMUQ.ico
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileNYww.exe
Creates FileZgIw.exe
Creates FileC:\RCXD.tmp
Creates FilezIYI.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\RCX7.tmp
Creates FilehwQE.ico
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileFwIo.ico
Creates FileC:\RCX6.tmp
Creates FilevEIW.exe
Creates FilewEQi.exe
Creates FiledYMy.exe
Creates FileC:\RCXA.tmp
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\RCX4.tmp
Creates FiledwIQ.ico
Creates FileRwgM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileIoQQ.ico
Creates FiletQwK.ico
Creates FilezsEE.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileDQAm.exe
Creates Filehcou.exe
Deletes FilelAsi.exe
Deletes FileFMUk.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileFIIc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FilebYkI.ico
Deletes FileREEg.exe
Deletes FileVcYc.exe
Deletes FileZkEc.exe
Deletes FiletYUa.ico
Deletes FilehMgY.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileBMUQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileZgIw.exe
Deletes FileNYww.exe
Deletes FilezIYI.ico
Deletes FilehwQE.ico
Deletes FileFwIo.ico
Deletes FilewEQi.exe
Deletes FilevEIW.exe
Deletes FiledYMy.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FiledwIQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileIoQQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FiletQwK.ico
Deletes Filehcou.exe
Deletes FileDQAm.exe
Deletes FilezsEE.ico
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.inf
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates File\Device\Afd\Endpoint
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.inf
Creates Processtaskkill /FI "USERNAME eq Administrator" /F /IM VyAMAMkQ.exe
Creates ProcessC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\ec30213a664e0fd5dab1c54adee5b25a9581e1c2

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ taskkill /FI "USERNAME eq Administrator" /F /IM VyAMAMkQ.exe

Creates FilePIPE\lsarpc

Network Details:

DNSgoogle.com
Type: A
173.194.125.71
DNSgoogle.com
Type: A
173.194.125.70
DNSgoogle.com
Type: A
173.194.125.69
DNSgoogle.com
Type: A
173.194.125.68
DNSgoogle.com
Type: A
173.194.125.67
DNSgoogle.com
Type: A
173.194.125.66
DNSgoogle.com
Type: A
173.194.125.65
DNSgoogle.com
Type: A
173.194.125.64
DNSgoogle.com
Type: A
173.194.125.78
DNSgoogle.com
Type: A
173.194.125.73
DNSgoogle.com
Type: A
173.194.125.72
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1032 ➝ 173.194.125.71:80
Flows TCP192.168.1.1:1033 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1034 ➝ 173.194.125.71:80
Flows TCP192.168.1.1:1035 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1036 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1037 ➝ 173.194.125.71:80
Flows TCP192.168.1.1:1038 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1039 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1040 ➝ 173.194.125.71:80
Flows TCP192.168.1.1:1041 ➝ 190.186.45.170:9999
Flows TCP192.168.1.1:1042 ➝ 200.119.204.12:9999

Raw Pcap
0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   94                                    .


Strings
..O.v\
.
.
E
....
sa
04pB!q	
,0F&?cF
0!gYHg
0`V=aq
|1%Jc}X
1nOr@-
1rog"#
*1T/.3
/:,2/ 
2AU>jY
2|bTV,d
2dCT_k.y=\=
2dMWi9
2dVWwuO*2`
2H'*0T'
2N:,b&
,2T*n A
*3=6#_boB
%=3j&h
3re{4R
3[rR3[
3Tl.5Ag
$/3Tl+p
48H.U9
4G4y`E&ydP
%;4jfh
,4T&+rA%'p
5+3%Z&
5dE<{`
5jfhWg
@!5kD<!
$5kD<+
5k*o,4
5R	A58l
@!5rD<l
#5rD<l
@",5Ta'
62 GV!d.
62 ]V3d
62 _V#$n
62 XV3
+6A&zd
6hWeYX
6(HzYG
6h'zYh
%6kg(`
6k\$G	I;
6k\$GII
*6vthT
7/1Aen 	
7h'{Y(
7l3T"-
7:LNg7
9[\~i>
9LP>;i
a0>wQas
A16DSi
A2qcgsu
a9kN%Q
@a<kE$u
<Am_--^^B+
AnvlZ~F3V
aZVH^+
)b^_]<
&?B+8(*
bEu%bIuebMu
)b^O	2d
Bt9J/_(
bVx]	w(
bVx]	w(\
cFf,5Tim3
Cijnqr
CiN#/^
'cUZ($
cUZhdU
DeIUqYQ
Dfg Tke
Dfl1T'
D& Hj:w
d>i#n.wQet 
d+kFfz
dl#G!a 
dNG(X%
dNGyJdVP
d(oq9J
d[^p5J&I r
DTV-d`
;dW15kQ<
EaA]]rM
@^E}Cvq
Ej<cNI
E%k Tej
E)'p+Z&
<E vGe
EVxQnv!
EYxg:;
E*)>$Z
fAuIfIuifMu	fQu
fh]t	hg
%&)*fhWd
@fo H"'r
f{ T.g#
G$5kA<
G'5{V<or
"g,)Ao.
Gbl1T'/6
#Gf,5Ti
Gh4gN[
GJf	d[
go5Agm5
go H"&
GRpXMY
g Tkc N
GZ5A(M
G&zdP4:%Qt
)h^ $(
h$>2*f
h$>2*fh
(h3O1<
H',5Ta+
hB^qY'
hgW)hWe
hh'_	(
h;hrul'
hJnVK_
,h_nUB
Hr,'K7
&h}t	x
h}t	x'
>H-ueL<
h:u'I8
)hWeYG
)hWeYX
hxg 8w
H"y`D!
I2g /n
i$>2j&
i$87jf(
ia^'*<
Ia|32G,
ic^U4<
IDs\?.
}.<IfG
if^zw|m
i$g(jf(
ihVeXY 
]`i{}o
iQYw9^
ItQQh.Kz
&)iv|/
i'vlj'
iv^&Z|
ix^M'0M
jAuAjEu!jMu
\jCkZ_e
JDaA]]q
$JfeF(}buS
)j&hWd
j'LVn'
%|JNK9
(jrP%T
jXI/<w
-jxLun
@j	zS"	^
k5Fek G&
k5M"$q
k8IR6,
k A&l1
k A&n 
KA}qmM
KC_7;q;QY
khF&w(
k*ol4pvH
k*ooIdr
$Kop5J
-\KR(O
$k Te/
k'+T/j
kvS9Jf
kvx$Kop5J
L	0C,[
l^1d|3
L2a,H2
l5G&;+
l5T-,r
l.bRN	
l`D%j`
L'<:E'j
l F%z Q
-lg1lC||mV
Lgl5T-
L"	^O)JA
LradUcQ
luD%/u
lUZi$U
}">	mc
mH\"Vx
m>j]v$
)&^&M|Rl
@mW&DQG
@mWJDQG
nAuMnEu-nIumnQu
NB^qK4
n.i#n.wQcrh(
nP21[]
:NPF4QF>6FF
n^(r|Z6
<NSbZ0)
NSYN`Y
n T%n 
>O*2`q
Oe'R||{
o(;FW5
o H"zd
oLNNjqH
|OVxYnG.\
o.W/<>
o.Yx(*?
	^O)ZY
p0>wQos)
PBgt5-aP
P-l%1,
pMl/,Bi
pn^r;,
)p^O	2dQ
Q1E-5 
QM!<P{
:#Qr;$P
q`VB^q
QZ:'i	CF
r5+P<f
rAu]rEu=rIu}rMu
ReDqBU
Rich!4O
R*JaBf	V?]
Rj{nANeL
R<l @&*q
R^[T.?
R^]T+4N*2 
R^'V|>9
R^v~RD
R^!WcZA
S9Wr=~
,#_.sB
sC[:n&4
SGrZ5:Np?
^SUeNS
)S^Xg<
t28*l'
<t4p^NK-^l
t5kG<"
t5kG<*
T6mJ^KK_
!{^TBz\
!This program cannot be run in DOS mode.
tH(W05k*o/I
T\!mNi
tO"|`D
>TU|*DI
T^u{EcA
^u<#_C`B^
@^uCEcA
u	fC)H
U)hWeYG
u|O<,1
".U" sW
UY(*P	"h
v0j+8S
v7PkL>
vAuYvEu9vIuyvMu
V(N!t1F
V{vkSGb
@Vx_nG-
Vx_nG \
Vx_nG-
VxQmF#\
VxQmv!
VxQmv!\
VxQmx!\
VxQmz!\
VxQnv!
VxQnv!\
VxS	4	
VxYnG$\
@<-@+w
w,1G%/6
w5kR<,
~w879*
)(WeYG
)(WeYX
wh,w29
wk A&+
wmeH+FK
=w\MR:a
W\"VxQnv!\
)(W%YX
)(WzYX
($^[(!X
Xi$&)*&
Xi$=2j
Xi$<3jf(Wg
?x//mw
XNaW]v
};{xQ>
XQ"}'Lm
XT<8O?
xVU$4$
xXzBb[
Y$G$Jf
y(gw	r
YNN*mR
~<YVV,
Yz:#_kZB^
	z*"@.
@z$'C?
_Z)L0[+
z$Pt{$Q