HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.1750 (B) (Emsisoft), Gen:Variant.Kazy.1750 (AdAware), Bancos.YR, ZeroAccess.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 901b366ca1e1e74d751e4b5e3c2160b9
SHA1: 2f55fea37f54e98aeaa7302b096e82f4020f3786
SHA256: 20864785b8f95cc7fbc69b84b4535ed8220a1532635fa1d48a331184875a9405
SSDeep: 24576:R MxjWYOvJRVQURPft2LsRwrufntiLGCNySWow3DQSLxYqH:wM0bBRVxdSsRwwnoTQow3DQWxYqH
Size: 1026048 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-07 11:53:36
Analyzed on: WindowsXP SP3 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
cscript.exe:600
cscript.exe:1952
cscript.exe:336
cscript.exe:492
cscript.exe:1832
cscript.exe:1940
cscript.exe:488
cscript.exe:1376
cscript.exe:424
cscript.exe:408
cscript.exe:568
cscript.exe:1236
cscript.exe:448
cscript.exe:368
cscript.exe:1132
cscript.exe:616
cscript.exe:244
cscript.exe:264
cscript.exe:1868
cscript.exe:1648
cscript.exe:808
cscript.exe:1748
cscript.exe:644
cscript.exe:1360
cscript.exe:1668
cscript.exe:1368
%original file name%.exe:1140
%original file name%.exe:620
%original file name%.exe:596
%original file name%.exe:628
%original file name%.exe:1308
%original file name%.exe:1920
%original file name%.exe:340
%original file name%.exe:1948
%original file name%.exe:1968
%original file name%.exe:1980
%original file name%.exe:1856
%original file name%.exe:956
%original file name%.exe:652
%original file name%.exe:368
%original file name%.exe:1252
%original file name%.exe:188
%original file name%.exe:616
%original file name%.exe:1276
%original file name%.exe:1492
%original file name%.exe:1700
%original file name%.exe:1648
%original file name%.exe:808
%original file name%.exe:1748
%original file name%.exe:1760
%original file name%.exe:512
%original file name%.exe:1740
%original file name%.exe:1660
The Trojan injects its code into the following process(es):
NesIMIQs.exe:260
fGAwoYMM.exe:1092
reIEcoQI.exe:484
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process fGAwoYMM.exe:1092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
The process %original file name%.exe:620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MgQkQooM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XSsIUMwE.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MgQkQooM.bat (0 bytes)
The process %original file name%.exe:596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QWYYsEIw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vcUokIYQ.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QWYYsEIw.bat (0 bytes)
The process %original file name%.exe:628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GoEAEIQU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rCEgYIYk.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GoEAEIQU.bat (0 bytes)
The process %original file name%.exe:1308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CIAQMkMg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tMYYwUgI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tMYYwUgI.bat (0 bytes)
The process %original file name%.exe:1920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\yuIAsAEc.bat (4 bytes)
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7737 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OSUQUYEo.bat (112 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7785 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\yuIAsAEc.bat (0 bytes)
The process %original file name%.exe:340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AokcokIs.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QiQwIcEs.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AokcokIs.bat (0 bytes)
The process %original file name%.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sWYoskks.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jywcIsoc.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sWYoskks.bat (0 bytes)
The process %original file name%.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MOUUIYsE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oMsQYoUE.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oMsQYoUE.bat (0 bytes)
The process %original file name%.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OwwkQocU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nysQgsoo.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nysQgsoo.bat (0 bytes)
The process %original file name%.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\naccAscE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mWMAgAsA.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mWMAgAsA.bat (0 bytes)
The process %original file name%.exe:956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RuIkMccg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LEIkYEgA.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RuIkMccg.bat (0 bytes)
The process %original file name%.exe:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MYEQAskM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IWEsEIgI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mCgMQYYI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qsIkcYcI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MYEQAskM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qsIkcYcI.bat (0 bytes)
The process %original file name%.exe:368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pQscEkMU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hIckgQkI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hIckgQkI.bat (0 bytes)
The process %original file name%.exe:1252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UwgMckQo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cowIMIAQ.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cowIMIAQ.bat (0 bytes)
The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oswscgcc.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CKwsYYAE.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oswscgcc.bat (0 bytes)
The process %original file name%.exe:616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OGYkQQMA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yaEEsIUU.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OGYkQQMA.bat (0 bytes)
The process %original file name%.exe:1276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kiEoQQkk.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\duMAgwMY.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kiEoQQkk.bat (0 bytes)
The process %original file name%.exe:1492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sqoUgoIk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CcsgsEoQ.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sqoUgoIk.bat (0 bytes)
The process %original file name%.exe:1700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VQMksAcs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fSUAsIgw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FOEAIoEU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nmEQkQIE.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fSUAsIgw.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nmEQkQIE.bat (0 bytes)
The process %original file name%.exe:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aKEUwEcI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kSMIgYMk.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kSMIgYMk.bat (0 bytes)
The process %original file name%.exe:808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KusAoUAY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xAwwkYwA.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KusAoUAY.bat (0 bytes)
The process %original file name%.exe:1748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MWYskYcM.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QYQEUEEQ.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MWYskYcM.bat (0 bytes)
The process %original file name%.exe:1760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SogAQMAk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UCwowoQM.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UCwowoQM.bat (0 bytes)
The process %original file name%.exe:512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GcIUkIQs.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CmIwcIMw.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GcIUkIQs.bat (0 bytes)
The process %original file name%.exe:1740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CgwAcMIQ.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FaYAgIQg.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CgwAcMIQ.bat (0 bytes)
The process %original file name%.exe:1660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\iMsksYkI.bat (4 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XikYIAoE.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\iMsksYkI.bat (0 bytes)
Registry activity
The process NesIMIQs.exe:260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C BA FA FF 90 E4 44 F5 74 55 BF 27 2C 3A C4 95"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process fGAwoYMM.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E BA B6 BA B2 2B 95 7D 44 C5 8F 0C A9 2A 60 A6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
The process reIEcoQI.exe:484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 92 82 58 8B 0F DA C0 DD FF B9 A4 86 FE 6E 96"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process cscript.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 8B 05 AF AB A4 85 B0 DC 27 D1 74 09 76 86 1C"
The process cscript.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 04 E7 5A 38 40 7E 94 81 B2 1B C4 D4 08 3E 80"
The process cscript.exe:336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 81 DD 14 0D 5D FD CF 15 E5 13 2C B3 28 D1 D1"
The process cscript.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 C8 17 26 FC 50 F4 3D 8C 86 CF BE A4 0D 82 19"
The process cscript.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 06 29 AA A3 E8 FC B6 94 BA DB 39 3E 6E 2D 92"
The process cscript.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 54 E1 54 E7 30 DB F3 10 D5 03 5B 41 27 25 D2"
The process cscript.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 4E 12 86 9B 02 5D B2 CC 38 50 7C 3F D8 3F F7"
The process cscript.exe:1376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 6E D2 76 A5 7C F6 7A FE 06 21 11 6A BC 1A 9A"
The process cscript.exe:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 96 2A 1D 16 8B 7D E1 33 99 5A FF DC 7E 41 52"
The process cscript.exe:408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 33 CB 3C 59 C8 0D 58 48 9E 72 0F 36 4F CF 9C"
The process cscript.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 78 DC 44 3C 9A BB C5 99 45 5A 57 36 F8 26 9E"
The process cscript.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 D5 22 11 2D 39 07 53 45 5D 7A 31 68 3D 0B C5"
The process cscript.exe:448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 ED 20 19 8D 65 EF 1E A4 8A E5 F2 D6 C8 95 DC"
The process cscript.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 A8 9E A6 6D 4E E0 EE 17 64 3D 84 1B 8B EA A9"
The process cscript.exe:1132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 51 2B 54 D2 64 49 65 2A FA 5E CB 1A F4 37 AD"
The process cscript.exe:616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 30 E0 C8 B1 33 75 4C 66 7C 62 ED DE 6A C2 33"
The process cscript.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 44 ED 4D 26 C0 38 6A A8 BA 3E 79 C3 38 0C FA"
The process cscript.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 55 35 C7 28 62 68 84 40 73 F7 9D FF 0D AD 98"
The process cscript.exe:1868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 3D B4 3E C6 7C 26 A6 34 EB D3 7C FA 55 9F 2F"
The process cscript.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 1A 54 61 46 D4 0A 29 5D A9 BA 6F 78 29 57 75"
The process cscript.exe:808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 48 17 A5 B3 46 61 DC 82 1D 2E 26 34 C4 7B 70"
The process cscript.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 74 A9 DC F1 F0 39 2E 83 B3 13 A3 EF E2 4B 85"
The process cscript.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 66 FD 66 17 60 6F 21 DF 80 7B 0F A1 CE 19 BE"
The process cscript.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 63 AA C9 E5 95 EF 9E 1E FD D5 DE 3B DE B5 84"
The process cscript.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 08 4A D0 6A BF 2A DB 11 86 E7 93 81 4C E3 A7"
The process cscript.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 22 BC 52 90 CE 49 68 17 A0 BC 64 DB 67 38 C5"
The process %original file name%.exe:1140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 1D FF 26 1B 0C F4 E3 53 77 5C F3 62 40 20 76"
The process %original file name%.exe:620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 97 0E A9 D5 ED 08 53 69 E5 FC F6 94 48 A5 B3"
The process %original file name%.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 84 C3 FD 47 35 1C 76 8D 48 95 23 87 57 09 DA"
The process %original file name%.exe:628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 62 79 D6 69 78 7A 4E 6A 71 5A 4A E7 E7 02 D9"
The process %original file name%.exe:1308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 62 30 2B 43 62 D7 16 7C A5 DD E3 A9 A5 7E 42"
The process %original file name%.exe:1920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 8A DA 09 E3 71 5C E9 0A 16 1A 62 F1 EF 70 04"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process %original file name%.exe:340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 07 AF 39 4F 4F 79 29 43 55 32 28 06 DC D2 0F"
The process %original file name%.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 1D B1 49 0D D1 60 E0 E9 CD EF 3A C6 6C 61 71"
The process %original file name%.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 46 A3 F4 5A 4C BA 4E D9 F0 CB FA 6E CC 76 64"
The process %original file name%.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 69 D4 3C 3A ED 31 29 88 01 88 04 DF C4 E1 0A"
The process %original file name%.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 9B EF 33 CA D8 34 B5 85 7A 46 B1 40 02 36 F5"
The process %original file name%.exe:956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F B5 3D 11 89 08 90 F1 92 1C 51 DA B8 34 5C 44"
The process %original file name%.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD C9 DD B9 5B B1 92 9A F1 C4 76 C6 BF CC 20 B0"
The process %original file name%.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 D6 A6 A3 C7 9D 26 3E 51 CE B9 3A 1E 9A E3 2F"
The process %original file name%.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 40 24 A3 60 95 A4 B4 09 88 E8 F0 24 E9 D1 DD"
The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 54 68 75 B4 16 C6 25 6D FE A4 DA 61 48 58 05"
The process %original file name%.exe:616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 4C BD 5A 1D 90 AC 0F D0 55 52 55 F1 9B A8 EF"
The process %original file name%.exe:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 F2 1A 8C 13 AB 79 E1 1F 0C 8B A2 40 B0 F3 97"
The process %original file name%.exe:1492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC AF 24 F5 A8 53 A5 86 42 58 DE 30 68 88 C8 C9"
The process %original file name%.exe:1700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 6A 5B 17 1D 63 44 8A 8C 4A 5C 98 D9 8B 4F 05"
The process %original file name%.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 8A 6E 24 B5 B4 47 3B 3A 40 4F FE 5B 76 7B E5"
The process %original file name%.exe:808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 DB 65 C8 45 98 AC 30 FD 05 7D A4 45 48 F9 25"
The process %original file name%.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 4B AF 4A 01 BB D9 66 69 C4 C5 81 EB 02 8C B2"
The process %original file name%.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 65 D7 74 9A D3 4A F1 CD 34 C8 4F 41 A4 06 71"
The process %original file name%.exe:512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 FE 39 2A EF 44 36 5A 02 62 40 87 CC 3E FA 5B"
The process %original file name%.exe:1740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B B3 4B D1 8D 11 49 2E 7D 58 01 CD DC F8 B0 D0"
The process %original file name%.exe:1660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 E0 BF 6B DA 98 34 9A 47 A3 1D AE 11 37 78 25"
Dropped PE files
| MD5 | File path |
|---|---|
| a693ed50043016a50d4cc1bc61e8e9ba | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe |
| 351ed48ce7c8ca658597b8016116a33b | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe |
| 8838df9ff9dc3ea376b185246b7b3282 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe |
| 00cf1ed1216d93f3d40180154fe7aa60 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe |
| 220a9c1d0010d92ee0de5da147c74ed7 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe |
| f9e6e260ad737402e4464845e4d4fbd4 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe |
| eb4db5b97ddf0470c5c9e882e55648ce | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe |
| cde091a5a96e230b9ce5ae4baab8abe0 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe |
| 92735e2afd8dea5d4652d92238b6efeb | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe |
| f9386be2210eca89591d227993f8976e | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe |
| 5b42e92ddc7e3f622a1b0d55d542c641 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe |
| 5b1aee3f11cffebceba76f6574ddd0ec | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe |
| cb1707b49591fa12d153fffc7382f427 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe |
| c9d946a3aade2deb03632c9bfa57e851 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe |
| b0af0fafade63956dc0b8353e7ce7345 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe |
| 577c84fd31fd120cb2afd523f9cd1479 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe |
| 618fec7a695c6ab236402fce76dd8079 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe |
| 4be3d428f468e532feea9ed69a8fd632 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe |
| 3fcb72ebdb0dbceb9c46ae7a74d7d404 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe |
| bdf96761030aa9fcf1c6db8752acd4f9 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe |
| f14603a39b4ed79db63f31bdd588930f | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe |
| 1829567960f132a0cde8f461976db6d6 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe |
| 2d3657ea207d79e47c8252d9a3bb5bb5 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe |
| 55e336f55003756c1bd1501cac070bf7 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe |
| 4002f55dbf1d87c803e456428a32ea86 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe |
| e4c60c8dc56d6327c12f1cc1f92ff394 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe |
| 587e2e8faf7b732f357ac00197d5182c | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe |
| 53995b69cbac86a9cca0ba329d257b12 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe |
| 27315d6d417f6684e9dd747eca72d430 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe |
| 809965f8e4d4a2af6624c01050792b27 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe |
| e5afa99008e0ed23398f924a45cabb3e | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe |
| 370de7bfb744c4845c5ae2a8aa52d904 | c:\Documents and Settings\All Users\JuwEIgUE\reIEcoQI.exe |
| 00e87dc3700dccbbe777a421e7f65568 | c:\Documents and Settings\All Users\hcYYccwo\NesIMIQs.exe |
| 7ae96f20068d9bf9acdc101e77fca487 | c:\Documents and Settings\"%CurrentUserName%"\dUskcAww\fGAwoYMM.exe |
| 369cd341046b3f34fbdc129e72223b36 | c:\Perl\eg\IEExamples\ie_animated.gif.exe |
| 4cca5db5753fec4111a958a0e27ea5d8 | c:\Perl\eg\IEExamples\psbwlogo.gif.exe |
| 7222d68632a6bdf83d04c42fa0d1d490 | c:\Perl\eg\aspSamples\ASbanner.gif.exe |
| 2eabab0a30ffbaa74cc97d2e53a2cc1b | c:\Perl\eg\aspSamples\Main_Banner.gif.exe |
| 47171c6714cd4ff7ad3ed665c1d9224a | c:\Perl\eg\aspSamples\psbwlogo.gif.exe |
| 7d5ee23dd4dd677383edb0f8b24f8b37 | c:\Perl\html\images\AS_logo.gif.exe |
| 46ffc3005c9cbd274d2058c027547dc6 | c:\Perl\html\images\PerlCritic_run.png.exe |
| bf6057ad2cf3a5d97dc240c055528099 | c:\Perl\html\images\aslogo.gif.exe |
| 5080135926e61c7b3c86863985aa53e4 | c:\Perl\html\images\ppm_gui.png.exe |
| 99fbeeeee0d9accf2e6c55dd4f7268db | c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe |
| 9058513ef1aefc1b45634ec056f726d0 | c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe |
| 2e559d411c687e9ecf5488c912bcafd9 | c:\Perl\lib\Devel\NYTProf\js\asc.png.exe |
| 4bce315a665472f5052b16520a15e9ab | c:\Perl\lib\Devel\NYTProf\js\bg.png.exe |
| bc34d619af8e6360ccd25c4b21369973 | c:\Perl\lib\Devel\NYTProf\js\desc.png.exe |
| ad7625a11eb8a27f8dd669b055a280e7 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe |
| 6008e26dfd6fd134cd30cc413575c6b6 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe |
| 7ac843023724bce2f22c56511dc27b74 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe |
| 5a14d8959e2f9b12d7496dc6b927488f | c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe |
| aa67eef532d0c9e4381d135bd9f98aaa | c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe |
| d012246155ff4394d4f2a51eb665d5fb | c:\Perl\lib\Mozilla\CA\cacert.pem.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
cscript.exe:600
cscript.exe:1952
cscript.exe:336
cscript.exe:492
cscript.exe:1832
cscript.exe:1940
cscript.exe:488
cscript.exe:1376
cscript.exe:424
cscript.exe:408
cscript.exe:568
cscript.exe:1236
cscript.exe:448
cscript.exe:368
cscript.exe:1132
cscript.exe:616
cscript.exe:244
cscript.exe:264
cscript.exe:1868
cscript.exe:1648
cscript.exe:808
cscript.exe:1748
cscript.exe:644
cscript.exe:1360
cscript.exe:1668
cscript.exe:1368
%original file name%.exe:1140
%original file name%.exe:620
%original file name%.exe:596
%original file name%.exe:628
%original file name%.exe:1308
%original file name%.exe:1920
%original file name%.exe:340
%original file name%.exe:1948
%original file name%.exe:1968
%original file name%.exe:1980
%original file name%.exe:1856
%original file name%.exe:956
%original file name%.exe:652
%original file name%.exe:368
%original file name%.exe:1252
%original file name%.exe:188
%original file name%.exe:616
%original file name%.exe:1276
%original file name%.exe:1492
%original file name%.exe:1700
%original file name%.exe:1648
%original file name%.exe:808
%original file name%.exe:1748
%original file name%.exe:1760
%original file name%.exe:512
%original file name%.exe:1740
%original file name%.exe:1660 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)
C:\901b366ca1e1e74d751e4b5e3c2160b9 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MgQkQooM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XSsIUMwE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QWYYsEIw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vcUokIYQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GoEAEIQU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rCEgYIYk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CIAQMkMg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tMYYwUgI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yuIAsAEc.bat (4 bytes)
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7737 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OSUQUYEo.bat (112 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7785 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AokcokIs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QiQwIcEs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sWYoskks.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jywcIsoc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MOUUIYsE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oMsQYoUE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OwwkQocU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nysQgsoo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\naccAscE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mWMAgAsA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RuIkMccg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LEIkYEgA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MYEQAskM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IWEsEIgI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mCgMQYYI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qsIkcYcI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pQscEkMU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hIckgQkI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UwgMckQo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cowIMIAQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oswscgcc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CKwsYYAE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OGYkQQMA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yaEEsIUU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kiEoQQkk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\duMAgwMY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sqoUgoIk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CcsgsEoQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VQMksAcs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fSUAsIgw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FOEAIoEU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nmEQkQIE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aKEUwEcI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kSMIgYMk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KusAoUAY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xAwwkYwA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MWYskYcM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QYQEUEEQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SogAQMAk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UCwowoQM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GcIUkIQs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CmIwcIMw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CgwAcMIQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FaYAgIQg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iMsksYkI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XikYIAoE.bat (112 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe," - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 1019904 | 1018880 | 5.45691 | 9f69f7e7277ebf1b01582c8ff95ca717 |
| .rdata | 1024000 | 4096 | 512 | 2.22347 | 1d539e7d78abc1bb708fc9a2c829ff48 |
| .data | 1028096 | 4 | 512 | 0.053811 | 9dcd6c545a34c3b2acc310a8f6045f46 |
| .rsrc | 1032192 | 4444 | 4608 | 2.04696 | 56bf39e2739fbb0513597c0464f996ac |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):