Analysis Date2015-09-08 02:00:42
MD5b43d32bee4f31d81434ba83546ef604c
SHA1fbdb8c4b93af04943c99643490a9d8e9815ae011

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9d5ae6f2d446e9122dbc892dc0d5db1f sha1: 52c9122135467e0a131bd7b94e83a59b6f5b7e2f size: 451072
Section.rdata md5: 605776721c9e8773830b8333e0a13fa3 sha1: 38386f05016f7fb284059de67b29561c27e78a69 size: 512
Section.data md5: a8b8c0c4ed67b4992640ea006b183050 sha1: 04425156bd617f83809a9d24e222f75b8fc4a1c0 size: 512
Section.rsrc md5: cd78f4aee101e2085dc42e4d80647480 sha1: 7d0ee7217fc27f7bbaaf403d31af797d105e3174 size: 4608
Timestamp2015-01-06 00:36:08
PEhash12ca1fe2571f1888b3262c39b349092cb43ee7b6
IMPhash24a16f3d00ae40ac56e8759c01e3ba85
AVRisingTrojan.Win32.PolyRansom.a
AVMcafeeW32/VirRansom.b
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVTwisterW32.PolyRansom.b.brnk.mg
AVAd-AwareWin32.Virlock.Gen.1
AVAlwil (avast)MalOb-FE [Cryp]
AVEset (nod32)Win32/Virlock.G virus
AVGrisoft (avg)Generic_r.EKW
AVSymantecW32.Ransomlock.AO!inf4
AVFortinetW32/Zegost.ATDB!tr
AVBitDefenderWin32.Virlock.Gen.1
AVK7Trojan ( 0040f9f31 )
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVMalwareBytesTrojan.VirLock
AVAuthentiumW32/S-b256b4b7!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusVirus-Ransom.FileLocker
AVEmsisoftWin32.Virlock.Gen.1
AVZillya!Virus.Virlock.Win32.1
AVKasperskyVirus.Win32.PolyRansom.b
AVTrend MicroPE_VIRLOCK.D
AVCAT (quickheal)Ransom.VirLock.A2
AVVirusBlokAda (vba32)Virus.VirLock
AVPadvishno_virus
AVBullGuardWin32.Virlock.Gen.1
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVClamAVno_virus
AVDr. WebWin32.VirLock.10
AVF-SecureWin32.Virlock.Gen.1
AVCA (E-Trust Ino)Win32/Nabucur.C

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\fbdb8c4b93af04943c99643490a9d8e9815ae011
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PeEAkUIc.bat
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ZYoAAIAU.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\PeEAkUIc.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\ZYoAAIAU.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\fbdb8c4b93af04943c99643490a9d8e9815ae011"
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\JMoQsQYs.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\JMoQsQYs.bat
Deletes FileC:\malware.exe
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ "C:\fbdb8c4b93af04943c99643490a9d8e9815ae011"

Creates ProcessC:\fbdb8c4b93af04943c99643490a9d8e9815ae011

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\ZYoAAIAU.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ZYoAAIAU.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\fbdb8c4b93af04943c99643490a9d8e9815ae011

Creates FileC:\fbdb8c4b93af04943c99643490a9d8e9815ae011
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\KoAsQcAI.bat
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zwIkEwME.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\zwIkEwME.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\KoAsQcAI.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\fbdb8c4b93af04943c99643490a9d8e9815ae011

Creates FileC:\fbdb8c4b93af04943c99643490a9d8e9815ae011
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nogUoswE.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ZusMMYkU.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ZusMMYkU.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\nogUoswE.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\fbdb8c4b93af04943c99643490a9d8e9815ae011"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\fbdb8c4b93af04943c99643490a9d8e9815ae011"

Creates ProcessC:\fbdb8c4b93af04943c99643490a9d8e9815ae011

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\nogUoswE.bat" "C:\malware.exe""

Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ "C:\fbdb8c4b93af04943c99643490a9d8e9815ae011"

Creates ProcessC:\fbdb8c4b93af04943c99643490a9d8e9815ae011

Process
↳ C:\fbdb8c4b93af04943c99643490a9d8e9815ae011

Creates FileC:\fbdb8c4b93af04943c99643490a9d8e9815ae011
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\uIwQkock.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\JMoQsQYs.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\uIwQkock.bat
Creates Process"C:\fbdb8c4b93af04943c99643490a9d8e9815ae011"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\JMoQsQYs.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FilerYIo.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FilejsMQ.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FilePwwq.exe
Creates FileLogY.exe
Creates FilerkwE.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileHcQS.exe
Creates FileNqQc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileTYAI.exe
Creates FileHikY.ico
Creates FileC:\RCX5.tmp
Creates FilePwcm.exe
Creates FilepiIw.ico
Creates FileC:\RCX3.tmp
Creates FilePYsO.exe
Creates FileC:\RCX10.tmp
Creates FilenEsi.exe
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FilePMYU.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FilejQoY.ico
Creates FileC:\RCXF.tmp
Creates FileDccw.exe
Creates FileC:\RCX12.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FilezswM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FilePwkw.exe
Creates FileXkUG.exe
Creates FilengYu.exe
Creates FileLccA.exe
Creates FileC:\RCXD.tmp
Creates FiledIos.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileZOAQ.ico
Creates FileC:\RCX6.tmp
Creates FileNqkU.ico
Creates FileC:\RCXE.tmp
Creates FilePoQu.exe
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates FilehQIm.exe
Creates FileDokk.ico
Creates FilevkQG.exe
Creates FileXqgQ.ico
Creates FilebQMY.ico
Creates FilebkMY.exe
Creates FileXksm.exe
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FilerMoY.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FilerQwW.exe
Creates FileC:\RCX19.tmp
Creates FilencQI.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\RCX1C.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\RCX9.tmp
Creates FileBEgS.exe
Creates FileC:\RCX1A.tmp
Creates FileRKIU.ico
Creates FileLwYM.exe
Creates FilejYQE.exe
Creates FilezQEK.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileTYwA.ico
Creates FilebIYM.ico
Creates FileC:\RCX8.tmp
Creates FileHegw.ico
Creates FileBSoA.ico
Creates FilenucM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FiletgcA.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FilezoQA.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileC:\RCX1D.tmp
Creates FileDYwE.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FilevwQK.exe
Creates FileniwY.ico
Creates FileXUgm.exe
Creates FileC:\RCX16.tmp
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FiletsEE.ico
Creates FilevEYi.exe
Creates FileC:\RCX17.tmp
Creates FilefKQc.ico
Creates FilehIsw.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FileHCsY.ico
Creates FileC:\RCX4.tmp
Creates FilejsII.exe
Creates FilebwEI.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileXqMU.ico
Creates FileHOAs.ico
Creates FilejwMQ.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileDcsk.exe
Deletes FilerYIo.exe
Deletes FilejsMQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FilePwwq.exe
Deletes FileLogY.exe
Deletes FilerkwE.ico
Deletes FileHcQS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileNqQc.ico
Deletes FileTYAI.exe
Deletes FileHikY.ico
Deletes FilePwcm.exe
Deletes FilepiIw.ico
Deletes FilePYsO.exe
Deletes FilenEsi.exe
Deletes FilePMYU.ico
Deletes FilejQoY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileDccw.exe
Deletes FilezswM.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FilePwkw.exe
Deletes FileXkUG.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileLccA.exe
Deletes FilengYu.exe
Deletes FiledIos.exe
Deletes FileZOAQ.ico
Deletes FileNqkU.ico
Deletes FilePoQu.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FilehQIm.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileDokk.ico
Deletes FilevkQG.exe
Deletes FileXqgQ.ico
Deletes FilebQMY.ico
Deletes FilebkMY.exe
Deletes FileXksm.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FilerMoY.ico
Deletes FilerQwW.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FilencQI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileBEgS.exe
Deletes FileRKIU.ico
Deletes FilejYQE.exe
Deletes FilezQEK.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FilebIYM.ico
Deletes FileBSoA.ico
Deletes FileHegw.ico
Deletes FilenucM.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FiletgcA.ico
Deletes FilezoQA.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileDYwE.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileniwY.ico
Deletes FilevwQK.exe
Deletes FileXUgm.exe
Deletes FiletsEE.ico
Deletes FilevEYi.exe
Deletes FilefKQc.ico
Deletes FilehIsw.exe
Deletes FileHCsY.ico
Deletes FilebwEI.ico
Deletes FilejsII.exe
Deletes FileXqMU.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileHOAs.ico
Deletes FilejwMQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileDcsk.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1852

Process
↳ Pid 1140

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\KoAsQcAI.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Network Details:

DNSgoogle.com
Type: A
216.58.219.78
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.219.78:80
Flows TCP192.168.1.1:1032 ➝ 216.58.219.78:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....


Strings