HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.530639 (B) (Emsisoft), Gen:Variant.Kazy.530639 (AdAware), Bancos.YR, ZeroAccess.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3219d18fda4eb8b4a60ac48aaf92c606
SHA1: e1ab400d42721da187a5a95e458dcb238304c686
SHA256: 22413227d79882903e295138c7ff9817f5673baeb7044f607de9023999ca5c03
SSDeep: 24576:VS5u exNLTnc//a yYuvmjKUe7mkOTkMEMzl MOmXKF82Yei:Vku exNLw//fmeF9THOmX0YV
Size: 1007104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-07 11:53:36
Analyzed on: WindowsXP SP3 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
:0
cscript.exe:556
cscript.exe:456
cscript.exe:1972
cscript.exe:392
cscript.exe:236
cscript.exe:1712
cscript.exe:1612
cscript.exe:1944
cscript.exe:656
cscript.exe:2036
cscript.exe:1520
cscript.exe:368
cscript.exe:1236
cscript.exe:996
cscript.exe:1216
cscript.exe:1312
cscript.exe:896
cscript.exe:564
cscript.exe:1592
cscript.exe:860
cscript.exe:908
cscript.exe:1648
cscript.exe:720
cscript.exe:1384
cscript.exe:1688
cscript.exe:2008
cscript.exe:1004
cscript.exe:376
%original file name%.exe:1128
%original file name%.exe:604
%original file name%.exe:600
%original file name%.exe:596
%original file name%.exe:488
%original file name%.exe:608
%original file name%.exe:456
%original file name%.exe:552
%original file name%.exe:1052
%original file name%.exe:1968
%original file name%.exe:656
%original file name%.exe:1652
%original file name%.exe:1756
%original file name%.exe:916
%original file name%.exe:2012
%original file name%.exe:1024
%original file name%.exe:564
%original file name%.exe:588
%original file name%.exe:380
%original file name%.exe:1032
%original file name%.exe:1492
%original file name%.exe:228
%original file name%.exe:268
%original file name%.exe:1284
%original file name%.exe:908
%original file name%.exe:1972
%original file name%.exe:2020
%original file name%.exe:532
%original file name%.exe:296
%original file name%.exe:1516
%original file name%.exe:1380
%original file name%.exe:680
The Trojan injects its code into the following process(es):
zuMEoUcg.exe:1728
hmwooYMM.exe:232
hEMQMIQs.exe:1212
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process :0 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
\Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\OUQkMkgc.bat (4 bytes)
\Device\HarddiskVolume1\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
\Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\QiAIQsMM.bat (112 bytes)
The Trojan deletes the following file(s):
\Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\OUQkMkgc.bat (0 bytes)
\Device\HarddiskVolume1\%original file name%.exe (0 bytes)
\Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ukIMccQI.bat (0 bytes)
The process %original file name%.exe:1128 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KcUMMkYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SgEQUAEM.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KcUMMkYM.bat (0 bytes)
The process %original file name%.exe:604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JaUkkMwI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OMAQMUUA.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OMAQMUUA.bat (0 bytes)
The process %original file name%.exe:600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DOIcsUgY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pMcgsIgQ.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pMcgsIgQ.bat (0 bytes)
The process %original file name%.exe:596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sgAwMEEo.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KaQAgIIo.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KaQAgIIo.bat (0 bytes)
The process %original file name%.exe:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gSwcUcYI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qUkcoAQQ.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\gSwcUcYI.bat (0 bytes)
The process %original file name%.exe:608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IcEsIYMQ.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\okIsMskQ.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\okIsMskQ.bat (0 bytes)
The process %original file name%.exe:456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hgwgIgkQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hqgoAMQc.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hgwgIgkQ.bat (0 bytes)
The process %original file name%.exe:1052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mYAkMsMk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vYkgQkck.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mYAkMsMk.bat (0 bytes)
The process %original file name%.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dYIAcgwE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TgskcMgg.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dYIAcgwE.bat (0 bytes)
The process %original file name%.exe:656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UGEIgoMw.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UgUIcscI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UgUIcscI.bat (0 bytes)
The process %original file name%.exe:1652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iOQUkUkI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ukwAoUUA.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ukwAoUUA.bat (0 bytes)
The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dQwkAQIc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wagowYEQ.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dQwkAQIc.bat (0 bytes)
The process %original file name%.exe:916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jakIMgck.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uwggksso.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jakIMgck.bat (0 bytes)
The process %original file name%.exe:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IksUUgcQ.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pcgAsYYw.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pcgAsYYw.bat (0 bytes)
The process %original file name%.exe:1024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sgkAMock.bat (4 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eKYUMQQY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pGQUkYMw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xSockgQg.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sgkAMock.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xSockgQg.bat (0 bytes)
The process %original file name%.exe:564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CwYcsAwg.bat (4 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yMQYsskA.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CwYcsAwg.bat (0 bytes)
The process %original file name%.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\eMQwAIIs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JUYIgcko.bat (4 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\JUYIgcko.bat (0 bytes)
The process %original file name%.exe:380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YQsgcUoA.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SIgEIcUg.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SIgEIcUg.bat (0 bytes)
The process %original file name%.exe:1032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZEYoQMwI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PugQUgsE.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ZEYoQMwI.bat (0 bytes)
The process %original file name%.exe:1492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SCwwEwUY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EgAAIwks.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EgAAIwks.bat (0 bytes)
The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vEwEgEUQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZgQwIgwg.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vEwEgEUQ.bat (0 bytes)
The process %original file name%.exe:268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zAggkAYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zwgcooko.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\zAggkAYM.bat (0 bytes)
The process %original file name%.exe:1284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ZEoIwAQE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DQcIMUgE.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ZEoIwAQE.bat (0 bytes)
The process %original file name%.exe:908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fQoYIIAY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tQUMYIYU.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tQUMYIYU.bat (0 bytes)
The process %original file name%.exe:1972 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AskkMcUk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZIIokooY.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AskkMcUk.bat (0 bytes)
The process %original file name%.exe:2020 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cEEosQwY.bat (4 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AEAwAAMI.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cEEosQwY.bat (0 bytes)
The process %original file name%.exe:532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PcwEUQgI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xAogEQwM.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\PcwEUQgI.bat (0 bytes)
The process %original file name%.exe:296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oyYwYIwg.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lOgQsMEQ.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\lOgQsMEQ.bat (0 bytes)
The process %original file name%.exe:1516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WiYQEkcQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LgQkscIE.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LgQkscIE.bat (0 bytes)
The process %original file name%.exe:1380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hUowwosQ.bat (4 bytes)
%Documents and Settings%\All Users\xWAMIgUE\zuMEoUcg.exe (7713 bytes)
%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe (7761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nGcsAMQM.bat (112 bytes)
%Documents and Settings%\%current user%\tiMscAww\hmwooYMM.exe (7785 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hUowwosQ.bat (0 bytes)
The process %original file name%.exe:680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qeoogIgQ.bat (4 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xyoMMAEA.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qeoogIgQ.bat (0 bytes)
The process hEMQMIQs.exe:1212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\NAAo.txt (44558 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
Registry activity
The process :0 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 6D 63 1D CC B4 E8 4F 5C 8C F2 D1 44 59 13 FE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
The process cscript.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 1D E9 FB FB 9F 5F 3B A0 1B 09 2C 9E 8A 52 22"
The process cscript.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 02 1B 68 21 57 F9 34 9A 67 6F 2A A1 7E DD F8"
The process cscript.exe:1972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 2B A6 88 5A 5B 06 72 D9 E5 07 35 97 5B DD 91"
The process cscript.exe:392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F C1 AA 64 DA E9 DB FD 4E BD E1 DE 5F 84 DA AF"
The process cscript.exe:236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 60 83 C3 E8 68 07 45 D4 34 8D DB 70 16 35 17"
The process cscript.exe:1712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 7D D6 9E CD 47 FE 32 CC 57 72 6B E6 6C C9 7C"
The process cscript.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 4C 3C 33 F5 29 55 C5 7E D3 56 53 A6 DC 1A 7C"
The process cscript.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 DD E9 54 95 A1 A8 C9 19 4B 5D 7D 2D E2 F3 9C"
The process cscript.exe:656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 41 50 5F B7 0B 8F 91 63 9D A0 54 DD 56 15 BD"
The process cscript.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 54 76 2C CC 6F 40 8D 79 9B 9E 70 C9 F2 A2 01"
The process cscript.exe:1520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 0E F2 A9 69 DC 3F 92 9C C2 C6 2B 26 77 72 1D"
The process cscript.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 0F 6A 8C 11 6C 80 F3 E7 28 74 52 50 8D 2F 83"
The process cscript.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 6C 3F 66 58 23 09 FD 5E 82 71 B6 5A F5 3F 9F"
The process cscript.exe:996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 72 EB C7 F9 F0 8C 50 05 1E EA 29 65 1A 95 6C"
The process cscript.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 ED F6 01 BC 37 3C 10 64 40 F1 92 57 02 38 7A"
The process cscript.exe:1312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 47 36 B9 6E 9D 78 A7 F4 2E 50 58 32 2C 7A 23"
The process cscript.exe:896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 E0 4E FD 38 8F 91 D2 37 4E 0B 1F 56 7D 2F 43"
The process cscript.exe:564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 C5 F0 E5 0E F1 24 AD EB 73 89 88 78 4D 90 47"
The process cscript.exe:1592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 AF 37 35 93 6B F4 6E C5 2C C7 52 50 9E 0B 31"
The process cscript.exe:860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 7D 48 FD 34 97 CD 67 29 59 C9 59 F3 C4 B7 38"
The process cscript.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 98 CC 9F D5 BC 9A CC 9D 0E B4 CB F1 75 74 84"
The process cscript.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 95 19 27 B0 F7 20 B3 5F 89 A8 E7 22 FE EB 59"
The process cscript.exe:720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 60 42 7F 72 71 C1 AE 68 D9 D0 2C 2B A7 91 39"
The process cscript.exe:1384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D F5 96 AE 9A F1 3A DB 17 CC D6 32 76 35 98 33"
The process cscript.exe:1688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 FC 2B 81 C6 6E A5 D3 AE 76 41 6D 6B 20 B3 D5"
The process cscript.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C BB A0 30 DA C7 8C FB D3 40 20 D3 C2 BB 66 9A"
The process cscript.exe:1004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 4E EF 88 4A F0 51 C2 46 34 56 A3 24 F8 85 93"
The process cscript.exe:376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 4F D5 71 48 F0 AC 2A DE 97 11 32 AE 50 5E 9D"
The process zuMEoUcg.exe:1728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 C6 8A E2 CE 39 AB A1 42 D0 D9 86 63 54 F2 31"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hEMQMIQs.exe" = "%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe"
The process %original file name%.exe:1128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 3C DF C1 60 BB 53 2F FD 08 C1 3D 7F A0 A0 82"
The process %original file name%.exe:604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 DA 2D 22 01 81 69 3F 57 2A 97 41 2B 0A DE B9"
The process %original file name%.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 1E 0F 6A 24 9A F3 1B CD 3B 45 8A 64 30 50 D4"
The process %original file name%.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 B5 39 35 DB 77 91 26 D0 37 95 7F C7 F0 C5 E4"
The process %original file name%.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 3F 20 2D AB D9 76 06 A3 30 78 D6 03 F0 EB 0A"
The process %original file name%.exe:608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 C5 9E B6 2F 1F 8D D5 45 0E 4D 22 1E 79 A3 96"
The process %original file name%.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 4D A7 16 E6 01 A2 F5 88 49 6B 4E F3 65 06 DB"
The process %original file name%.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 D4 5E 18 AF 87 0F 60 B8 64 38 38 F5 F2 5D D3"
The process %original file name%.exe:1052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A AB 6D 6F 55 BD B4 5B F3 7F C6 EB C0 43 47 FC"
The process %original file name%.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 2D 28 42 67 AA 2B 07 28 B9 FB 78 81 8D 6F 81"
The process %original file name%.exe:656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 C7 76 00 DC D4 31 14 29 A6 8B 90 BB 1C DB F2"
The process %original file name%.exe:1652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 35 AA 72 52 F5 05 CD E3 32 8D A9 42 86 84 63"
The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 26 F0 7F 6E 80 4E D1 91 E3 39 4B AF EF 59 89"
The process %original file name%.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 CA 9E 07 08 9C 88 DF 66 41 9E 9C F6 67 E3 01"
The process %original file name%.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C BB 9E 44 91 FE 8B F1 CB 19 2C C3 5E C3 D1 E5"
The process %original file name%.exe:1024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D EE C7 1F 27 74 01 F8 41 16 C8 FE 3C FF 9B 1B"
The process %original file name%.exe:564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE A2 BA 2F C4 96 5C 31 D4 AA 00 D6 62 F3 BB 5F"
The process %original file name%.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 1A 59 BD 86 F9 60 13 48 6E B9 99 DB A3 2C 20"
The process %original file name%.exe:380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E E8 73 70 98 A3 7A B8 7C 9A 3F C3 D7 F6 61 B0"
The process %original file name%.exe:1032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 4E F7 A7 53 38 88 A6 76 06 33 EE 26 54 0A 4F"
The process %original file name%.exe:1492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 66 DF 0C 18 D9 C9 14 44 11 22 F2 94 16 FA 82"
The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 1D 4D 07 73 6B 92 AC B2 A4 86 75 98 A4 75 37"
The process %original file name%.exe:268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A F5 D2 83 04 0A CF 0F 6B 2E C4 17 0B 99 15 55"
The process %original file name%.exe:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 05 85 EA EC 14 2E 71 8D 57 63 E5 3B 1B CB C7"
The process %original file name%.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 39 E8 59 10 0D E8 3D F1 46 F5 B1 34 47 14 25"
The process %original file name%.exe:1972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 84 31 69 A3 2D E2 E3 3E 71 F5 7C 4F 89 ED 08"
The process %original file name%.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 2C 18 CE B1 2B 1B 39 A5 C9 DD 1A AE D5 5A 39"
The process %original file name%.exe:532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 92 F8 83 F6 18 01 E7 AA E8 9C F9 A2 46 30 AC"
The process %original file name%.exe:296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 5F BF 5D B2 23 C8 69 09 CB F5 EA D9 CE AF 51"
The process %original file name%.exe:1516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 64 D8 32 A7 31 77 B4 D2 AC 4F 36 3B BD 78 9D"
The process %original file name%.exe:1380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 C6 0D 07 63 D3 7A 79 92 19 4E BA CA 1B DA EE"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe,"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"hmwooYMM.exe" = "%Documents and Settings%\%current user%\tiMscAww\hmwooYMM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hEMQMIQs.exe" = "%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe"
The process %original file name%.exe:680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 5E DE DB 1B 1B 6A 2B CE F8 AA 63 7A 79 8D 27"
The process hmwooYMM.exe:232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 D9 5F C6 A7 21 C8 B6 2F A2 2F EA A9 FE 6B 0B"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"hmwooYMM.exe" = "%Documents and Settings%\%current user%\tiMscAww\hmwooYMM.exe"
The process hEMQMIQs.exe:1212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D E2 2C ED 94 42 7F 2B 7E ED EB AA 8F 46 AB CA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hEMQMIQs.exe" = "%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 16e9ef9922de52a6121a399124f5d116 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe |
| c2347f2083e2248f2776e7762ee31ac1 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe |
| c3751db9b1084c836ec869fd935a05b4 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe |
| 742d4a4c09f2b17bb44a6e51ed203c6c | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe |
| cb998a377ae3fe466f46de4550130aaf | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe |
| 77abf77b3c274b7323b089fdad3d1101 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe |
| 243271b45a15e00a6a9875fde78c2ef5 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe |
| 617ad05567897b3e2c4ae7831f2113d3 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe |
| 41305f836fabc005496634616872b585 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe |
| c1f578d58572596c65431c0b812a5c12 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe |
| cb225cd967fdc396db7a8c864057830d | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe |
| b2fa775b8f9eff48174a4438d1218e5a | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe |
| 0ace2376b0bea6666e35971627dc071d | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe |
| 7aa4fc359028f0b911464c592a8d9a82 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe |
| 89c9169322824ad1f4f4fa183b675c0a | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe |
| ba827b2a03a829a161623d23f82ef494 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe |
| d7116cde86fe0bb623d7e8d02ea9428d | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe |
| 2da4542ae5c1b7826df6e9eb0c8efaea | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe |
| 35d2feef75dde4a7b221d385d775ac30 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe |
| b36b355f06f39172f07da53c1516c170 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe |
| b9be41cc75f3925077e84cc1f7e13485 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe |
| 37536a66e2e74f7647542cbb362d5e37 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe |
| f738a145054a5cac5f6e1b8db0b9d12e | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe |
| 33d3dfd406005e3d93cf05da68df2019 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe |
| 4edcd336e89ba119fb5320d6bf59124d | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe |
| c9d4f78ad0dd64051d10938a2b9b4b86 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe |
| 2e7bbb013482597ad32196d96aec740c | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe |
| b7417fe9566e95ad1dc53d8ffd5e42f4 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe |
| 3c36342c9cd7a01c3c93ec33672a632c | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe |
| 94875bd812a18843d59d4cb30398760f | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe |
| a9e81db96a92c1d265fc784333ca2cf1 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe |
| 9bae8cc8b1c9fa061b580346b5eade6b | c:\Documents and Settings\All Users\JUsIccwo\hEMQMIQs.exe |
| b42f72f388ba7a47249b53199509988d | c:\Documents and Settings\All Users\xWAMIgUE\zuMEoUcg.exe |
| a078128a85182ab367ec4accc5dc7ec9 | c:\Documents and Settings\"%CurrentUserName%"\tiMscAww\hmwooYMM.exe |
| 79df908d65ee283443bb906c833ae105 | c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe |
| 681ba744d8475a3f97465530be40b6ca | c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe |
| 7ba45c1b09a493b53ae00eadb7896334 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe |
| 286086977565d3c64771260d8c63f436 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe |
| e99caa2cbb690d99ae36f64334c2bbd0 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe |
| 5b1243e17e699e5cca42a343ce6de267 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe |
| 838522bfc71e07cd9b338e733c2ce8f0 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
:0
cscript.exe:556
cscript.exe:456
cscript.exe:1972
cscript.exe:392
cscript.exe:236
cscript.exe:1712
cscript.exe:1612
cscript.exe:1944
cscript.exe:656
cscript.exe:2036
cscript.exe:1520
cscript.exe:368
cscript.exe:1236
cscript.exe:996
cscript.exe:1216
cscript.exe:1312
cscript.exe:896
cscript.exe:564
cscript.exe:1592
cscript.exe:860
cscript.exe:908
cscript.exe:1648
cscript.exe:720
cscript.exe:1384
cscript.exe:1688
cscript.exe:2008
cscript.exe:1004
cscript.exe:376
%original file name%.exe:1128
%original file name%.exe:604
%original file name%.exe:600
%original file name%.exe:596
%original file name%.exe:488
%original file name%.exe:608
%original file name%.exe:456
%original file name%.exe:552
%original file name%.exe:1052
%original file name%.exe:1968
%original file name%.exe:656
%original file name%.exe:1652
%original file name%.exe:1756
%original file name%.exe:916
%original file name%.exe:2012
%original file name%.exe:1024
%original file name%.exe:564
%original file name%.exe:588
%original file name%.exe:380
%original file name%.exe:1032
%original file name%.exe:1492
%original file name%.exe:228
%original file name%.exe:268
%original file name%.exe:1284
%original file name%.exe:908
%original file name%.exe:1972
%original file name%.exe:2020
%original file name%.exe:532
%original file name%.exe:296
%original file name%.exe:1516
%original file name%.exe:1380
%original file name%.exe:680 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
\Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\OUQkMkgc.bat (4 bytes)
\Device\HarddiskVolume1\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
\Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\QiAIQsMM.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KcUMMkYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SgEQUAEM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JaUkkMwI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OMAQMUUA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DOIcsUgY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pMcgsIgQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sgAwMEEo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KaQAgIIo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gSwcUcYI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qUkcoAQQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IcEsIYMQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\okIsMskQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hgwgIgkQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hqgoAMQc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mYAkMsMk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vYkgQkck.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dYIAcgwE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TgskcMgg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UGEIgoMw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UgUIcscI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iOQUkUkI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ukwAoUUA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dQwkAQIc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wagowYEQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jakIMgck.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uwggksso.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IksUUgcQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pcgAsYYw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sgkAMock.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eKYUMQQY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pGQUkYMw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xSockgQg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CwYcsAwg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yMQYsskA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eMQwAIIs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JUYIgcko.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YQsgcUoA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SIgEIcUg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZEYoQMwI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PugQUgsE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SCwwEwUY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EgAAIwks.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vEwEgEUQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZgQwIgwg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zAggkAYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zwgcooko.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZEoIwAQE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DQcIMUgE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fQoYIIAY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tQUMYIYU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AskkMcUk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZIIokooY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cEEosQwY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AEAwAAMI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PcwEUQgI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xAogEQwM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oyYwYIwg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lOgQsMEQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WiYQEkcQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LgQkscIE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hUowwosQ.bat (4 bytes)
%Documents and Settings%\All Users\xWAMIgUE\zuMEoUcg.exe (7713 bytes)
%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe (7761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nGcsAMQM.bat (112 bytes)
%Documents and Settings%\%current user%\tiMscAww\hmwooYMM.exe (7785 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qeoogIgQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xyoMMAEA.bat (112 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\NAAo.txt (44558 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hEMQMIQs.exe" = "%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"hmwooYMM.exe" = "%Documents and Settings%\%current user%\tiMscAww\hmwooYMM.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe," - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 1003520 | 1003008 | 5.45196 | eff1ec6132a066b251a5828e711bf0dc |
| .rdata | 1007616 | 4096 | 512 | 1.8422 | 1a4ee8ca4a76932f2e24490992aa0328 |
| .data | 1011712 | 4 | 512 | 0.053811 | b0eaf7ee5b4e1579ad069e19b91a07b5 |
| .rsrc | 1015808 | 1372 | 1536 | 2.29584 | ce6dd03e2cb57f1b3db7a1002f243800 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):