Analysis Date2015-05-23 22:26:31
MD553711426e379d4eba15da633831128ab
SHA1fbe46d27c20baff7fc66369df7a9136ac8f54715

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0bc1aca8758000dbfc4c18c95d49e472 sha1: 7a99238873e88e8a1afbf4cc3e8125f47e1d3a8f size: 496640
Section.rdata md5: 6236dde2273721714441858c1c80c484 sha1: 608d980a7bbf4a2fe9d14f84e787211e5aa53223 size: 512
Section.data md5: 46bd8ab13ab4c9c23bd008c8af932c37 sha1: 279867ba65b1822bcd94469295e49552c9fd56ee size: 512
Section.rsrc md5: fc0c9327c83df47114c2d654964662cb sha1: 1af406281797b553af95b7254faa9a42b77c7e20 size: 4608
Timestamp2015-01-06 00:36:08
PEhash032e6b41dafbb332b7b6d92218dffac1eb4b5d12
IMPhash2fa5a9a26acd26d6792e5748af252ae7

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe,
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UuEEcggs.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UUQAAwQw.bat
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\fbe46d27c20baff7fc66369df7a9136ac8f54715
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\UuEEcggs.bat
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\UUQAAwQw.bat" "C:\malware.exe""
Creates Process"C:\fbe46d27c20baff7fc66369df7a9136ac8f54715"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\wYwsMwoo.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\wYwsMwoo.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\vskssYko.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\vskssYko.bat
Deletes FileC:\malware.exe
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\fbe46d27c20baff7fc66369df7a9136ac8f54715"

Creates ProcessC:\fbe46d27c20baff7fc66369df7a9136ac8f54715

Process
↳ "C:\fbe46d27c20baff7fc66369df7a9136ac8f54715"

Creates ProcessC:\fbe46d27c20baff7fc66369df7a9136ac8f54715

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\UUQAAwQw.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\UUQAAwQw.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\fbe46d27c20baff7fc66369df7a9136ac8f54715

Creates FilePIPE\samr
Creates FileC:\fbe46d27c20baff7fc66369df7a9136ac8f54715
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vskssYko.bat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\KyQAgokc.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\KyQAgokc.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\fbe46d27c20baff7fc66369df7a9136ac8f54715"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\vskssYko.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\fbe46d27c20baff7fc66369df7a9136ac8f54715

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\CwoIcscs.bat
Creates FilePIPE\samr
Creates FileC:\fbe46d27c20baff7fc66369df7a9136ac8f54715
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wYwsMwoo.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\CwoIcscs.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\wYwsMwoo.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\fbe46d27c20baff7fc66369df7a9136ac8f54715"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\fbe46d27c20baff7fc66369df7a9136ac8f54715"

Creates ProcessC:\fbe46d27c20baff7fc66369df7a9136ac8f54715

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileogwK.exe
Creates FileAwMW.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileOQQY.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileC:\RCX5.tmp
Creates FilecwYE.exe
Creates FileEIoA.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileMcYY.ico
Creates FileC:\RCXF.tmp
Creates Filekskc.ico
Creates FileC:\RCX12.tmp
Creates FileUYsw.exe
Creates FileYQwa.exe
Creates Filesowc.ico
Creates FileKIAy.exe
Creates FileuwEw.ico
Creates FileUYYM.ico
Creates FilecYcg.ico
Creates FilekMEs.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FilePIPE\lsarpc
Creates FileC:\RCXE.tmp
Creates FileosMa.exe
Creates FileYecA.ico
Creates FileMMQU.ico
Creates FileUkcY.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FilegwAG.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FileIkwq.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileiggO.exe
Creates FileC:\RCX1D.tmp
Creates FileUkcw.ico
Creates FileEwgM.ico
Creates FileoAoK.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileYCQQ.ico
Creates FileqOcw.ico
Creates FileIooS.exe
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileguwE.ico
Creates FileC:\RCX17.tmp
Creates FileUkQc.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FileqgMa.exe
Creates FilecwgE.ico
Creates FileYMoQ.ico
Creates FilekYAY.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FilegeQU.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileYkgW.exe
Creates FileC:\RCX3.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FilemQco.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileIcYq.exe
Creates FileUMko.ico
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileWgck.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1.tmp
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FileMgog.ico
Creates FileC:\RCXA.tmp
Creates FilesEUc.ico
Creates FileSIcm.exe
Creates FileC:\RCX1F.tmp
Creates FileoqcQ.ico
Creates FileC:\RCX13.tmp
Creates FileweEM.ico
Creates FileC:\RCX11.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\RCX19.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\RCX1C.tmp
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\RCX1A.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileAMgO.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileYyUc.ico
Creates FileMKgo.ico
Creates FilekgAQ.exe
Creates FileC:\RCX8.tmp
Creates FilegIww.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileYSIc.ico
Creates FilewoIS.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates Filewswa.exe
Creates FileoIIc.ico
Creates FilesEQI.exe
Creates FileqUEO.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileWsIa.exe
Creates FileC:\RCX16.tmp
Creates FileekMQ.ico
Creates FileC:\RCX4.tmp
Creates FilesIII.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileEQMI.exe
Creates FileQsEi.exe
Creates FilewQMu.exe
Creates FilegKAo.ico
Creates FileAmoc.ico
Deletes FileogwK.exe
Deletes FileAwMW.exe
Deletes FilegeQU.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileOQQY.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileYkgW.exe
Deletes FilecwYE.exe
Deletes FileEIoA.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileMcYY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes Filekskc.ico
Deletes FileUYsw.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FilemQco.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileYQwa.exe
Deletes FileIcYq.exe
Deletes Filesowc.ico
Deletes FileUMko.ico
Deletes FileKIAy.exe
Deletes FileuwEw.ico
Deletes FileUYYM.ico
Deletes FilekMEs.exe
Deletes FileWgck.ico
Deletes FileMgog.ico
Deletes FilesEUc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileSIcm.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileoqcQ.ico
Deletes FileweEM.ico
Deletes FileYecA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileMMQU.ico
Deletes FileUkcY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FilegwAG.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileAMgO.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileMKgo.ico
Deletes FileYyUc.ico
Deletes FilekgAQ.exe
Deletes FilegIww.exe
Deletes FilewoIS.exe
Deletes FileIkwq.exe
Deletes FileYSIc.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileiggO.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes Filewswa.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileoIIc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileqUEO.exe
Deletes FilesEQI.exe
Deletes FileUkcw.ico
Deletes FileEwgM.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileoAoK.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileWsIa.exe
Deletes FileYCQQ.ico
Deletes FileqOcw.ico
Deletes FileIooS.exe
Deletes FileguwE.ico
Deletes FileekMQ.ico
Deletes FileUkQc.ico
Deletes FileqgMa.exe
Deletes FilesIII.exe
Deletes FileQsEi.exe
Deletes FileEQMI.exe
Deletes FilegKAo.ico
Deletes FilecwgE.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FilewQMu.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileYMoQ.ico
Deletes FilekYAY.ico
Deletes FileAmoc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates Mutex\\xc3\\xb00@
Creates Mutex\\xc3\\xb80@
Creates Mutex\\x081@
Creates MutexnwYEEQIw0
Creates Mutex\\xc3\\xa80@
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex\\xc3\\xb00@
Creates Mutex\\xc3\\xb80@
Creates Mutex\\x081@
Creates MutexnwYEEQIw0
Creates Mutex\\xc3\\xa80@
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 816

Process
↳ Pid 860

Process
↳ Pid 1028

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1876

Process
↳ Pid 1184

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\fbe46d27c20baff7fc66369df7a9136ac8f54715

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Network Details:

DNSgoogle.com
Type: A
216.58.219.110
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.219.110:80
Flows TCP192.168.1.1:1032 ➝ 216.58.219.110:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....


Strings
W?
n
z
.
.&y..
.
.<+
....
@
V.

!]?!`}
{(/.{(
}=.%?~
0*;*/=
03J|b3
!?0E(@
0Jr}P 
0$|lpMVq0$
0mD!\l2%M
0PsR|x
0R"!!X
0s`8rG
0S,x'^3
0wP&1W
1):/9D;J1
:!1 a;
1B3E[C
1B3E[^n(2
1B3E[QNu,
1?BzK-
1?BzK-B
1DS=Yl
)1e5yA;
1Esre]
1!%HlS
`=1l ?
	1~L1#!>CC3>
1N3#QB
-1n&8r
1NS#QAp
1NSxZA
1ohTh:{
*^1,&R%
1S3E1S3
1^sh6S
1\Sr%//
1[srQAI
1WT9!A
1YS2HMn
2(*\0.
2AT9!A
2AT>!A
2c=s^jc
2)k}k4
]2|mOv
2u26S}.
@+3,\'
3@5)>n
37c@8Mp
38_x`Xa
3A4:!A
3>CC3>
3>CC3>CA3>
3>CC3>CC3>Cq){1
3>CC3>CN3>!
3>CC3>CQ)
3>CC3>CQ3
3>CC3>CQ3\
3>CJ3>
3E[_Nu,
3f/fK]
3hrl{Y
!3&j-q
3l1L2w+3
:3lRbw
}3$LxE
3$n!yL
>/3P2^
3p=(^x)(X
@!3/&r_3
3:u75D	
3vjVU7L7
~<3XOso
`3z6wr
40hH#Q
41S"5"
4&`*]3]
4a>.Fb0
,4D0,s
-4f<yd,
4GlC|j
/4,Il1
4*K!-{
}-4$k%y
4oBI&o
4^W9~-
4wPF5W
]!=|$5:
%54v%uaF
 5|6N-.
[5//7n,g
'5\ch;
5C'LI1
5cX^GqX~pW
5e,{JM
5$KXgL
[5Lywv
[5m9;5
5-_^%n
?5pN{^o%W
5-/t,l
5+>tM+
5wPF6W
5W	uMU
6AK66FK6<F
6:f$;:k$;
6)k1 xxh
6$L#QLWi
6:q-84E
6	q'qV
6wP&7W
6Yq8MO
7]3x|!
|]'76y
7>ab}W/B
7Aj7qG*7}
}7aJw1'J7
7At9AQ
7At:AQ
7B7/:O
7CLXB{
$7%K0Mq
],7-_L
7l6P7L4
?7njW?Fl]?
 7vn:4g	
7zD+fm5T
@8-2A5
84G8=3Y
{88O3U@
8@9>3E
.!8*A3
8aN^LUp
8E3;fF
8	J#0[
8t7]E#
8u75D	
8UP\{%H
}8xm3U5
"90y%gY
968:k$;
9?BzK-B
9C3>CC3>
9@IZ![
%9#m;*
9.'NQ$)}
|9ofSMX
9^pt I
9_PzK-B
9q=d6{
9UaK(7
|/9;Umy
9u$ycPi
9VIZy$;
9y8=wVYO
9&ZHQ%
}?a@?<
A1	2zwmZ
]a1aO}j
a2o6Gm
@<?Aa}?-
|/a??-Aq
<?Ab]_
>ab}W/B
ab_Wojw
A,CC3>
A,CC3>CC3>
AcNd2#
a?d5{>
|.a>.Fb.
afx&Xz7
aK77gJ
A-kgb7
AL11AL11AL11AL11AL11AL11AL11AL11AL11AL11AL11AL11AL11AL11AL11AL
A+L8M3
A mfcv
a|_Ml]
a=<O,?
a=<o!]1
!a}<Oa\
<_/a<?oC
{AoWu-
>A,Pm~
A][PNu
AP%}/U
-Aq<l ]
,AT;!A
.AT;!A
aV9a|m
a_v@NBXq
Ax[5cW'
{aXvXs_
AXX'i&
AY3?Uur!
a|)y5$
a_@|;z
-b]?!@|
`b0,F/
b0GE#7
B3MM0X
B4}~Qor
)=B6*9C0
B7=Ol}
B8+KsZ
Baa"e?
B#ahOzy
bd-wrd
|.BegD
bk|aHH
Bl;krl
blKS8A)
>BM*Mx
`Bou{:=
]/Bq?l
[\B".r
bRO6kJ
B&_T%&?>
+b	V`B
Bw7Mlw
Bw(a*pz
?!b}Wl
bwWGlw6
bz1J|X#
C1AT9!A
C1AU>B
C2AT9!A
C2AT:!A
C2AT?!A
c7b1FvEe
c7b1FveO
C*!8}A3
C8A7Z+
cA;1dO
Ca"nQ!A
C,AT9!A
C%AT"a
C,AT:!A
C AUvs,
C.AW193
C+AWzB3E
C+AWzB3E[
C+AWzS3
C!bmP!A
!>CC3>CC3>CQ3
ccH.ot/
~[[}cD
CDYk_/
^c h%j
(CHvv>t
c'.}}{i
cKF:	m
*C'l7C'
*C'l8C
$CL8Kn
C'l9!J
(C'lX.
C&oBI&
C&oBI&o
C&oBN&o
C&oB]&ob_DZ
C&oBVi
C&oBV&o
C&oBY&
CPQ5)f
C#QLSM
CrJT9!A
Cr+SuW
CsJ563
CSrN]|
csv!ks
csyU9,
C(u@DI
c[u_ly
} Cw9n!6
CW,E_S>L?V3
c[zLbZ
d32ycS)
D5.Y4\
D5 yswQ
\&D6\*%
/D?6DL
^D{]6P
!]dart
@.data
D,!$azk
;Db;GL
d}{`d0UP
:dEd6y
/D@Hnl
D_$IrPQ
d.J+LxZ
dLcDL8S
"DL#Q,
%Dl:Zs
$Dm>+M
|<Dnb?
dO.]lG
/DQ/?>
Dqfji	#*
ds'dL#
.dS}N$
DS#qlb
DSXa3}
D{TdLx
DuoH_&
DW5,v~
;d-wrd
;D=%YlvMqfz
DZhCSX
D}|	Z}|	Z
<+)(E|
?\%E~<
E1C3>CC3>CC
[e 1uP
/.E".3;
-[e,3'^oe0
?\"E^4
E^4Gf>
E_85=Z+
e-9~Ip
E@/CW9
e}=&D6
EDOLRcm
?e"?>F
ej%YUu-
Ek	!di'
%e_o*M4M
^E\:P*
e'!q1&
EQw-\T
ESr4Yx
E_T'D~
eTQFD>V(M
e\("V+
Exk39A
Ex:Ng-}
eY1JOk>f
e	Z]4P
{=f`~}
F	2]V+
F3=bqRpB
F#<4[?SJ
(.*f:6	
F6\%Ev
faPQ D4
_{f\Ax
FE6\%Ev
F'EC]k
^fF6\&E
~~F(>H6
*fi<8$J
fiW&yd&Q
	<./FL7
fm}]&evy
fngPN$J8
[f|nq&
fn,#QN
fNX\mL
:f&o$f&/
Fp~.aa
.F>P.Gaa
fQS<B 
^~fSWM
,-[Ftc[#.P
fTCqw	A
[Fv}bxL
fxa]m	E'
|~}FXr
fYZ<]	i
;G&->.
{g-9Ku-y>
g}c)k5U
>gED@C
'gED@C
GetMenuCheckMarkDimensions
GetProcessWindowStation
g<'fb<
gFDIHD
GFvc5d;$3
gG )b:
*gi<8$J
gj6?o 
GJ77GJ77
GJ7=GL
gmW2[ro
|GM\zP
gN!5Ez
|G,]?O
go/?dk)
Gp~.ga
gPn^NP
GQ7'Ds
=GS=yS
g*=v~X
[]/H\]
:H|0:BA
]H0CCH
]H0CCH0lpV
H0CCH?{J
]H0CIH
]H0COH
]H0CPH
]H0CPH0
]H0CSH
H0CSXU
]H0CWH0C
/h A'h
hc' /q
h:enD"
^/Hib*J
hIj[wY
HJh;)/
$-H$Lx
H$NLXB
,HOZnP
%h:`r>
:hr)pu
H~"[u)
=HV`Ka
=<HvSn
HX.O*r
h;yc;(`o
{H}|	Z}
,H/ZnpG
Hz[q/q	~
H}|	Z}\W
[H<Z`z
{H}|	Z}|	Z}~
I11AL11AL
]I4L=U
i5h$`\w
i@>5#W
I\6G!N
i#A,CC3>Cq
%iC;--~
id0UPv
I}d;e'
Ie,wYl
	IH>!r?k
?,Il;1
|IM\zR
InH#QN
I$(#qs]
iq{wAx
>iQZf9f
J1[e8#
'j5_El
j[~^b_
~JBRt(
Je,N1R
%&J\Gz!>
J&kF%x-
-JL~!Za
jm<sH}
)J$p(J
j%QE7`
jr^j# 
JS2S>4
[jT6_V
JuMo>}m
@[jWKx
jx9we=l`
$j=(^x=(^x/
j=(^x=(^x'
j=(^x=(^x=H
Jx{.YY
#jY#c(
j%yUu-9_
^):k$;
k1g);&B
k= @+41
K5MQ'x_
^+K7/+K
k88O3U@
k9{4N$
K;AKfU
kdI\jK
kernel32.dll
^#&kjJ
kK{iwEx
K+L9g{
kOzbs]S
^+KQ[+KQ[+K
*kRA'g
$?_k<t
-/k?W<+
Kw%5dA
Kx$gV[
Kx*'h,
L<1R,7
l2!=iC
)$^]$L8
L8u75D	
L930?/3
<<lA?_LB
lc}]l@
`<=lCQ
L<dc?5jM
l*d\_D
lD[o-;
l!DS"8
LeZ-g-
,&LF>,
lfFa,j
lFmN!A
L'.G+,
lGuZ+Gp4
-{_"LHl[g
liGK7Z
LImN!A
ljN),J
lJT9!A
L-kr#,_
`\?Ll=?
LL77GJ77GJ7=!
lLE_;k
==Ll}<l!?
LNkG!L
--lN_S
LnT9!L
lO Z.N5
LQ&:Fq$
l"[Q,J
lreAcC
_lread
lS%	x;
'l{Wz|
:%LxH7
L+X^|/U
$#LxX~
l	y]W#!
-= m",
m3D;\;
Ma==!@
Ma=<o ]
.MAT9!A
mbwQ/B>
mDR554
=+mfCs
?+mfCs
_M h)U
)miV3e
MKCX_:
=(*m"l
-( m"L
Ml7}l"
Ml]<l!?<AB
,MLxH7
	^MmfN
m`N),J
MqJMLj
MQ:plx6Od
\MU@8/
*Mu CG
MultiByteToWideChar
.Munyl
Mv_9uw
Mv=X2n
}mY[u-C=}M1\uM
-N0LT9
N5yLKx%cZ
n6P7L4
-n9o-n
|Na}\M
<na]qN
#Na$yT
&N"bf`O
NBg2gwO
N=BZw*(A
"~*n(c
NC3>CC3>C@3>C
NC><NCq
%!nDJ\
"nd]s3
;N~`eH2v!
\ Nf\`
N#_}GL
Njmw=Wr
nJQ?l`
nj<sH}
N<kR-Df
NL@:= 
n`__OC1
\/NOI,7
~|N?pr\V
N_T;!A
ntdll.dll
N}udUF
n-X?e|
, <|o!=
<!@\?O
^>o1H~
O31X=O3
O6]U69-
<O'94@
Oa=6FK6?FK
_Oa<?A
<_Oa<=!b]1l
<?o _=aj
Oa]_mC
&oBV&o
O?F1[U
}oFm4>
o=imW/7
):OKi2
ok<sH}
OL7<GJ1
ol<sH}
OM9u5/
#OM[}t
O,_=Oa
O&oB& 
OQ"zLQ"ZLQ!
ORFTD~
(OSN/N
O}'	t@
\O,]W-Aq
\:owauJ
O,=wo!
o&x'{&
o&x'}&{
o&x'5 
o&x'|f
o&x'l&
o&x'm3
o&x'u 
o&x'u&
o&x'u&x
o&x'~&x
o&x'}&x
o&x'YL"
??o _Y
{(o|	Z
[] OZ](
](OZ]/J
OZ!JOZl
{(o|	Z}p	Z
OztM)a
{(o|	Z}|	Z
{(o|	Z}|	Z}
 o|	Z}|	Z}c	Z
 o|	Z}|	Z}fId
{(o|	Z}|	Z}p	Z
p"6hpq
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
PdHR+XO5RPjh
 Peq,=
P,E?S>O
p=:m)h
pt.d3/F
PT!NS[.
}''Pu{
P/[_U\
Pu75D	
*{PuFJt
q7BN.Y
&)q8l(
q,dra.
qf<(C;
>QFf13F
%q)>G{
QHyv>T
Q\I@+<
~ql19SN
}ql[T!.
ql*VC$
QLw	I,
`}Qma=_o
|?!`}qo
Qp	,)_
qQ_2q\Bv
q(q)OP
QrJB?b}
QsLr([I
QS#U;(T
Qu75D	
q&xgC?
q,X!:$N
Q'ymX&
Qy&Oh)yzh
;"R49i-o
rC{C-$
R*c-c(
RcnX](
>rc;X-
`.rdata
rDL8xLpB
%=RE%B
\_rhQ_1
Rich!l
rJh>ek
'rkUIi-
roWnR<0
R!Pf|O7)
*=R[T9!A
RtlVerifyVersionInfo
Ruo+WQ
Rux4VyA
RV+YG1
r<WRjn5
r]:^x=(^x=(^x(
r/Y{5M9[
RyJRJ`
r&ZC<'
~{*=s+&
s04t1U
&s0L>{5@
s1	?y_
!S28bA3
S3E S3
S48Ziz*
_;<"\S|54
S5t:O'\
*s?&6wy!
$S?6ZY
'S7 "V8a
S@/9!A
SA/9!A
	sB&93A
	sb*9S
Sd-wrd
%se1$=g
Se/9!A
Sf/9!A
SF/9!A
(;s/h}A'
sH}|	Z}|	Z}w	
sj|25L
Sk2]sr
SK5)9d
SL5)=$ 
	slv9s
^>smu}
-SmZsR_
sN3#QD
	S	P9s
sQk?_wk
[srk-%
@>S~rO/
SRPd!{
SS5)0$
SS5)9D
SS5).N
{St(!2
Sw		dA
SWQJSR
s,x+M3
[SXsnZ8
SY8' DSr
SY/9!A
SZ/9!A
!sz/wv
T1KU=}
T2v;CK2eZ
t,3"Kp
}T_74 
t8%~rm
&'!T(D#
T}:f&o:f&
Tf=%Vf]
t~gIY|
~tgM.@
!This program cannot be run in DOS mode.
tIP<Kj
tlHfv)SGQ
Tn<DX<
Tp<d>"3
TP/F9 
Tp<$!p
,tqHNt
T.,v6:
Tv>.F0W
)~U"1-
<"u2bwO
<"u2ewO
"u2rR%q
u3,8?O3
U4Y Hx
U6\^1rp
<u75D	
/u75D	
(u75D	
<$u7F75
<>u7^wG
*"u82_
u937O3
u937O33
U97q=.
U-97Ri
[u-99uM
\u-9-o
U-9"Ri
[u-9;ul
+U(c!,/
uC8vuj
[u-C9}
ufo<^;
uGLrKYA
*;ujX\{
U#K8\x
).Ukp74@
<-u\_L2
`ULckzn
um9[UM
UM	Qu-
[Umy[u
UmY{u,
[Umy[Uo
uP1a	8
u<P*l5
)UpQ<4
user32.dll
u#SO`&
U#tH5$<;3
Uv	a5d4
UVd-wrd
#UVQ+b
U-Y+2m
u-YDb"
V9-dsv
VB^OTr
vdB:F!
V,E_S>
#%VF#b
VFj9[F
v<fpLE
vgd:UP
vH(nr</
ViXd0X
VKj;-/
#];Vo`
vpRr6G
vQ,3qC
VQUkUq
~Vs4B5y
<*VtX3
>&\%VvJ
v[}:^x/(^x
]V+YG1
w0[SS$m-
W	1ySC
=w6COB
?w6COB
'w8I"7
W?Ab]_
wc]b+f
W',E1|
>WFjtG
]wGj77a
' w?Gl
W_gSDY
wi2uAKw
wj#%tk
W~Kp/.d(
	woPjxU
WPzK-B
!*WQ'*
wrC_GoDhG
@WRt+R
ws2_32.dll
WSCWriteNameSpaceOrder
{W:+vT
`wWGlwQ
;w-Y,,
`wyQaR
!WzB2E
Wz%E}<
^!%	x;
 =(^x=(^
{&x'=-
^X0EH9
	X0G9B
@X64H/
xAM#);
xC^!rC
xC^!uC^A#
x<d~'N
xE3g'SL{.
xepYN-
xG]@Js
[]X-IP
x:K#){
X$K3%&
x=N#0;0
xo1#Er:
X;O#5{d
x o|	Z}m
X|Q#2[
']XQA3
xQl.K~$
xQNQ8_dY#
X#Q\qY
xqS@[9
x-Ty?E9
XuI" =
{Xu`YI
&x'}&x
x&x']4
x&x'56
]:^x=(^x6(
(^x=(^xoMl
-XXu\Dg
=(^x=(^x=(^x
:^x=(^x=(^x*
@]:^x=(^x=(^x=
[xX/x&h)}SF
X<>y"x
,y4&y1
y8Ea!xhqgw,S+
-y]9%gQ
YB@#8b
YfjN),J
YGTfOYH
Yi>6@_
]y|Ic]"U>1
!Y\(IUT
y'j5]E
y$;:k$;
=]Y(]K
Y-,:M%
`\YOL;W/
+	"Y-Q
YqMK#O
Y|RI*~,
Y}rvj2C
}Y#_;S
YumY|}M
YVwGvtS
,/Y_v.zk#
Y$y?(:
YY7kRU"
YzB2E[
YzB2E[RNu,
YzB3E[
YzS0e;s;E8
[*z0"g
z6[p{S1
Z7LxH7
]z9?BzK-B
/ZAw:Q
/zB1^pO
+zc{fc
	Z}c	Z]
zFaA+L
	Z}f	z
~zh	t >
	Z}j	Z[|
z*l.eI~
$" ZLX
	Z}l	Z[|
|ZlzoUm_
zPAPI>gAKw
Zpk)w}
z PL*m
>z/P~o
z"R<p(o
zrqjh'
zrqjh)
Z}s	Z}
Zu%1Zw/y<
	Z}wi$
Z^Y1)Uv
z=(YCU
|	Z}|	Z
	Z}|	Z
	Z}|	Z}c)%
Z}|	Z}c)%
Z}|	Z}c	Z]
Z}|	Z}d	Z
Z}|	Z}e	Z
	Z}|	Z}f	
|	Z}|	Z}f	z
	Z}|	Z}li%
Z}|	Z}m	
	Z}|	Z}m	Z[|
	Z}|	Z}n	
^|	Z}|	Z}N
	Z}|	Z}Nv 
	Z}|	Z}oi
	Z}|	Z}o	Z[|
Z}|	Z}ui
	Z}|	Z}w	Z
Z}|	Z}y	Z=
|	Z}|	Z}z	
|	Z}|	Z}|	Z
	Z}|	Z}|	Z
Z}|	Z}|	Z
|	Z}|	Z}|	Z}5
Z}|	Z}|	Z}c)%
Z}|	Z}|	Z}m	8W
	Z}|	Z}|	Z}Nv 
Z}|	Z}|	Z}oi
Z}|	Z}z	Z}.a
Z}|	Z}z	Z}N