Skip to main content

Gen.Variant.Kazy.1750_34806dcbe3


HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.1750 (B) (Emsisoft), Gen:Variant.Kazy.1750 (AdAware), Bancos.YR, ZeroAccess.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 34806dcbe3e1df48f5f62f8b3380c55d

SHA1: 17c0708ec04b17934729ca164407dfe0239d5261

SHA256: 69f3074e272a23e656dae7bc2098e8564e7423b27c5dd79b7e695837414fe43a

SSDeep: 12288:CQiILiiEtabcstvz/HB2J1HCs6tdORYfjKPZejl8 xsu9SbSp9348qlWm7W4CZ I:CQiI2idpNTB2 rt9KW8 2qS vJ4Op1n

Size: 1001984 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2015-02-07 11:53:36

Analyzed on: WindowsXP SP3 32-bit

Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3904
%original file name%.exe:2964
%original file name%.exe:3240
%original file name%.exe:2988
%original file name%.exe:2960
%original file name%.exe:624
%original file name%.exe:312
%original file name%.exe:2844
%original file name%.exe:2636
%original file name%.exe:332
%original file name%.exe:1920
%original file name%.exe:3380
%original file name%.exe:3824
%original file name%.exe:1924
%original file name%.exe:2548
%original file name%.exe:3308
%original file name%.exe:3736
%original file name%.exe:3164
%original file name%.exe:2896
%original file name%.exe:2196
%original file name%.exe:1208
%original file name%.exe:4008
%original file name%.exe:2344
%original file name%.exe:1908
%original file name%.exe:2540
%original file name%.exe:3472
%original file name%.exe:2544
%original file name%.exe:668
%original file name%.exe:3100
%original file name%.exe:3516
%original file name%.exe:3256
%original file name%.exe:2984
%original file name%.exe:656
%original file name%.exe:2380
%original file name%.exe:2268
%original file name%.exe:652
%original file name%.exe:1468
%original file name%.exe:2244
%original file name%.exe:1652
%original file name%.exe:2748
%original file name%.exe:1676
%original file name%.exe:2364
%original file name%.exe:2076
%original file name%.exe:2264
%original file name%.exe:2668
%original file name%.exe:2428
%original file name%.exe:3664
%original file name%.exe:3836
%original file name%.exe:336
%original file name%.exe:2280
%original file name%.exe:3596
%original file name%.exe:3608
%original file name%.exe:304
%original file name%.exe:1932
%original file name%.exe:2856
%original file name%.exe:1048
%original file name%.exe:244
%original file name%.exe:1148
%original file name%.exe:1956
%original file name%.exe:3404
%original file name%.exe:3056
%original file name%.exe:2632
%original file name%.exe:248
%original file name%.exe:644
%original file name%.exe:3880
%original file name%.exe:1644
%original file name%.exe:2640
%original file name%.exe:3540
%original file name%.exe:3448
%original file name%.exe:3564
%original file name%.exe:3152
%original file name%.exe:3500
%original file name%.exe:2492
%original file name%.exe:1288
%original file name%.exe:536
%original file name%.exe:2752
%original file name%.exe:352
%original file name%.exe:2416
%original file name%.exe:296
%original file name%.exe:2376
%original file name%.exe:2104
%original file name%.exe:3820
%original file name%.exe:2148
cscript.exe:1128
cscript.exe:2616
cscript.exe:2736
cscript.exe:212
cscript.exe:3808
cscript.exe:2592
cscript.exe:1080
cscript.exe:1328
cscript.exe:1260
cscript.exe:3060
cscript.exe:3272
cscript.exe:3256
cscript.exe:1908
cscript.exe:2824
cscript.exe:4084
cscript.exe:1896
cscript.exe:3208
cscript.exe:2928
cscript.exe:172
cscript.exe:2940
cscript.exe:2344
cscript.exe:3476
cscript.exe:3644
cscript.exe:3108
cscript.exe:2340
cscript.exe:3380
cscript.exe:2056
cscript.exe:4000
cscript.exe:256
cscript.exe:2224
cscript.exe:3796
cscript.exe:2304
cscript.exe:1944
cscript.exe:3588
cscript.exe:3972
cscript.exe:2684
cscript.exe:1476
cscript.exe:1676
cscript.exe:2364
cscript.exe:3896
cscript.exe:3928
cscript.exe:2500
cscript.exe:2080
cscript.exe:2620
cscript.exe:2456
cscript.exe:2876
cscript.exe:4092
cscript.exe:3384
cscript.exe:2936
cscript.exe:1336
cscript.exe:1796
cscript.exe:3876
cscript.exe:1152
cscript.exe:3708
cscript.exe:2484
cscript.exe:1800
cscript.exe:3648
cscript.exe:3268
cscript.exe:2728
cscript.exe:3176
cscript.exe:3508
cscript.exe:2088
cscript.exe:1636
cscript.exe:2768
cscript.exe:3460
cscript.exe:3036
cscript.exe:2232
cscript.exe:4072
cscript.exe:2108
cscript.exe:3988
cscript.exe:532
cscript.exe:412
cscript.exe:3164
cscript.exe:2164
cscript.exe:2376
cscript.exe:1664
cscript.exe:2536
cscript.exe:1724
cscript.exe:3484

The Trojan injects its code into the following process(es):

fGAwoYMM.exe:1276
reIEcoQI.exe:1564
NesIMIQs.exe:900

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process fGAwoYMM.exe:1276 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)

The process %original file name%.exe:3904 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FSsoUwUA.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NKUsAggo.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NKUsAggo.bat (0 bytes)

The process %original file name%.exe:2964 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sqUYgcIw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MwIgkQQc.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MwIgkQQc.bat (0 bytes)

The process %original file name%.exe:3240 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UsccogcU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EQoEIgAQ.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EQoEIgAQ.bat (0 bytes)

The process %original file name%.exe:2988 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SSMUEIMI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HsQwsAIc.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HsQwsAIc.bat (0 bytes)

The process %original file name%.exe:2960 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UGEUMkUs.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BmYkcQcU.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BmYkcQcU.bat (0 bytes)

The process %original file name%.exe:624 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EacgAIMA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zoEYUowg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zoEYUowg.bat (0 bytes)

The process %original file name%.exe:312 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TeYMMwgg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iMAosYIA.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TeYMMwgg.bat (0 bytes)

The process %original file name%.exe:2844 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iekMYAQE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\teIYoYkw.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\teIYoYkw.bat (0 bytes)

The process %original file name%.exe:2636 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pqQoMYQY.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lAYkoYUk.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pqQoMYQY.bat (0 bytes)

The process %original file name%.exe:332 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\JYcswMAs.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rEkkgMco.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rEkkgMco.bat (0 bytes)

The process %original file name%.exe:1920 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zIkEkAEo.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GWAkMokI.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GWAkMokI.bat (0 bytes)

The process %original file name%.exe:3380 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qWYkIYQY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NiAoUoEY.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NiAoUoEY.bat (0 bytes)

The process %original file name%.exe:3824 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sKsEcQYA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\poEYUIog.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sKsEcQYA.bat (0 bytes)

The process %original file name%.exe:1924 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MWoEUQkw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pyockIUk.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pyockIUk.bat (0 bytes)

The process %original file name%.exe:2548 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LScEAAsQ.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ROgYkAos.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LScEAAsQ.bat (0 bytes)

The process %original file name%.exe:3308 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NCsgwkAk.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JmoYIEsE.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NCsgwkAk.bat (0 bytes)

The process %original file name%.exe:3736 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YaUckQUE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JoYkUoEg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OikgMAcs.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JyUUIgso.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YaUckQUE.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JyUUIgso.bat (0 bytes)

The process %original file name%.exe:3164 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tYkMoAAU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jmEgossI.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jmEgossI.bat (0 bytes)

The process %original file name%.exe:2196 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VYoMIwMs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fUAcIksw.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fUAcIksw.bat (0 bytes)

The process %original file name%.exe:1208 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FgEgMcoc.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xCsEYgMw.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xCsEYgMw.bat (0 bytes)

The process %original file name%.exe:4008 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ouMwkoYQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hMosAsEE.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ouMwkoYQ.bat (0 bytes)

The process %original file name%.exe:2344 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mkwkIMww.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nUEsoQcg.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mkwkIMww.bat (0 bytes)

The process %original file name%.exe:1908 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QugQUcIQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WucEIMQw.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WucEIMQw.bat (0 bytes)

The process %original file name%.exe:2540 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\guUYEkgE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NiwAgQQA.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NiwAgQQA.bat (0 bytes)

The process %original file name%.exe:3472 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nKYEIggg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WWIMcwcw.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WWIMcwcw.bat (0 bytes)

The process %original file name%.exe:2544 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VOIcsosY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DWEcEMUA.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DWEcEMUA.bat (0 bytes)

The process %original file name%.exe:668 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rUQIIYAg.bat (4 bytes)
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7713 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7737 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7785 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jeUsEoUo.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rUQIIYAg.bat (0 bytes)

The process %original file name%.exe:3100 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BgIMAcgc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gQIcYQgQ.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BgIMAcgc.bat (0 bytes)

The process %original file name%.exe:3516 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MkcMssAw.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QewMskQY.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QewMskQY.bat (0 bytes)

The process %original file name%.exe:3256 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OOUskAkg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nAIcYsAg.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OOUskAkg.bat (0 bytes)

The process %original file name%.exe:2984 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vUcIUogc.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NMAwkAgw.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vUcIUogc.bat (0 bytes)

The process %original file name%.exe:656 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kkUMIscQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EQMIoMsE.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EQMIoMsE.bat (0 bytes)

The process %original file name%.exe:2380 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UkUkwAIY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ROQkoogU.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UkUkwAIY.bat (0 bytes)

The process %original file name%.exe:2268 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iwsgAQIo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mUUgwAwk.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iwsgAQIo.bat (0 bytes)

The process %original file name%.exe:652 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TysUUcgY.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JOcYQMIs.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\JOcYQMIs.bat (0 bytes)

The process %original file name%.exe:1468 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LuoQQIAU.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oGYMYYcQ.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oGYMYYcQ.bat (0 bytes)

The process %original file name%.exe:2244 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cUMsUwIA.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgUgYsEc.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pgUgYsEc.bat (0 bytes)

The process %original file name%.exe:1652 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\geoUMAUo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pqwMcMYM.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\geoUMAUo.bat (0 bytes)

The process %original file name%.exe:2748 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cIAkgEEU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xIogkMoQ.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xIogkMoQ.bat (0 bytes)

The process %original file name%.exe:1676 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hewcUUYk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hkogIkAE.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hkogIkAE.bat (0 bytes)

The process %original file name%.exe:2364 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ickwgEcw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uWMUYYAY.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ickwgEcw.bat (0 bytes)

The process %original file name%.exe:2076 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mGwkYgIM.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bGYokksA.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mGwkYgIM.bat (0 bytes)

The process %original file name%.exe:2264 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xOIUQcMI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dGAwYkII.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xOIUQcMI.bat (0 bytes)

The process %original file name%.exe:2668 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\swoYwcIw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dQwIEAcg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dQwIEAcg.bat (0 bytes)

The process %original file name%.exe:2428 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MAsMMkwo.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SQAIIgcI.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SQAIIgcI.bat (0 bytes)

The process %original file name%.exe:3664 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\COIQksIo.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pqUoEoIU.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pqUoEoIU.bat (0 bytes)

The process %original file name%.exe:3836 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZUMYsokk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CmEgIcQU.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZUMYsokk.bat (0 bytes)

The process %original file name%.exe:336 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmEEAkwM.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CWkcQsww.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CWkcQsww.bat (0 bytes)

The process %original file name%.exe:2280 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OsEgYkcg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JgAQgYck.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\JgAQgYck.bat (0 bytes)

The process %original file name%.exe:3596 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EywYsooQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ASQIIgEE.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EywYsooQ.bat (0 bytes)

The process %original file name%.exe:3608 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kQUAgocA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QOIYowkA.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QOIYowkA.bat (0 bytes)

The process %original file name%.exe:304 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rUcQkwIk.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hGIAYYQs.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hGIAYYQs.bat (0 bytes)

The process %original file name%.exe:1932 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FEUMUkwo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KsEEwsgg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KsEEwsgg.bat (0 bytes)

The process %original file name%.exe:2856 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hwYgEoMo.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VKskgQIw.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VKskgQIw.bat (0 bytes)

The process %original file name%.exe:1048 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UCUscwEU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MywsQIog.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UCUscwEU.bat (0 bytes)

The process %original file name%.exe:244 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fkMkUQAE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bokUkwUg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bokUkwUg.bat (0 bytes)

The process %original file name%.exe:1148 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KAEgIUgs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ouAQwsMI.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KAEgIUgs.bat (0 bytes)

The process %original file name%.exe:1956 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vGcQsYUs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UiMUwAEU.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UiMUwAEU.bat (0 bytes)

The process %original file name%.exe:3404 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ueUAkIIM.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kIYcEwUU.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kIYcEwUU.bat (0 bytes)

The process %original file name%.exe:3056 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CCIUMMUc.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SgEogMEs.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SgEogMEs.bat (0 bytes)

The process %original file name%.exe:2632 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hOEYYMoI.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CGUUQQkA.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CGUUQQkA.bat (0 bytes)

The process %original file name%.exe:248 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pOQwUcEI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UmwIQoYA.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pOQwUcEI.bat (0 bytes)

The process %original file name%.exe:644 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wssMMIII.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PigogsQs.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wssMMIII.bat (0 bytes)

The process %original file name%.exe:3880 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\biwQEMMA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scQoUQUs.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\biwQEMMA.bat (0 bytes)

The process %original file name%.exe:1644 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sOYwQYMg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RcIokMEg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RcIokMEg.bat (0 bytes)

The process %original file name%.exe:2640 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vgcIgccQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cisoMAso.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vgcIgccQ.bat (0 bytes)

The process %original file name%.exe:3540 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WyAwAkwk.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RykEwgAI.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RykEwgAI.bat (0 bytes)

The process %original file name%.exe:3448 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OasIgQgw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WqgYsgQM.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OasIgQgw.bat (0 bytes)

The process %original file name%.exe:3564 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DQgAggoc.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DWUIMUcQ.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DWUIMUcQ.bat (0 bytes)

The process %original file name%.exe:3152 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dYcIEAwA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QmgUEQEk.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QmgUEQEk.bat (0 bytes)

The process %original file name%.exe:3500 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uWEgEEUs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eSoAckcE.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uWEgEEUs.bat (0 bytes)

The process %original file name%.exe:2492 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZoAYoEEM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VoQYkgAI.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZoAYoEEM.bat (0 bytes)

The process %original file name%.exe:1288 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BIoIUcgo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DCYcwMEg.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BIoIUcgo.bat (0 bytes)

The process %original file name%.exe:536 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sQQcogEI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\augwEksM.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\augwEksM.bat (0 bytes)

The process %original file name%.exe:2752 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wCEoYQYs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GicUsEwA.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GicUsEwA.bat (0 bytes)

The process %original file name%.exe:352 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ymkkkQYY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gOwgkEYU.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ymkkkQYY.bat (0 bytes)

The process %original file name%.exe:2416 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DkowwcEY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CWkYIwcs.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CWkYIwcs.bat (0 bytes)

The process %original file name%.exe:296 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YecMEgsc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PiwowYIQ.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YecMEgsc.bat (0 bytes)

The process %original file name%.exe:2376 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MEIMcsAA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KwIQkkgA.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MEIMcsAA.bat (0 bytes)

The process %original file name%.exe:2104 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UOscIYQw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kGcogIcI.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kGcogIcI.bat (0 bytes)

The process %original file name%.exe:3820 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iQwIAAQg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wUgcwwgg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wUgcwwgg.bat (0 bytes)

The process %original file name%.exe:2148 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SQQoooII.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WeMEoUgM.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SQQoooII.bat (0 bytes)

Registry activity

The process fGAwoYMM.exe:1276 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 2B 22 85 AA 36 37 9A 14 FA 05 4D 47 6E 33 FA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The process reIEcoQI.exe:1564 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 68 AC FA 09 29 0A A0 5E B7 6F 4F D8 33 BB 33"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process %original file name%.exe:3904 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 06 DE BA 08 41 43 4C 75 D6 F8 78 9A BE 8E 6A"

The process %original file name%.exe:2964 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 0F 3E 36 69 53 8F 2A C7 20 98 DE 1D 25 1C A4"

The process %original file name%.exe:3240 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 8B 88 BE B9 A5 47 BB EF 85 B7 6A 8A FC D6 F3"

The process %original file name%.exe:2988 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 E6 B8 B2 1E B0 15 60 EE BC B9 21 D1 79 F3 93"

The process %original file name%.exe:2960 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 DF FC CD 44 BA 58 1A 09 E7 CC B9 E3 66 62 DB"

The process %original file name%.exe:624 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 1A 9B F5 46 86 F6 66 31 4C 37 CF B4 C5 93 18"

The process %original file name%.exe:312 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 DA 49 0B C1 62 D3 58 7F AC 19 A4 C9 A8 15 A5"

The process %original file name%.exe:2844 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 B6 B3 A3 DB A7 2B 4B B1 68 6C 4C CD DD 2F EE"

The process %original file name%.exe:2636 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 EB C4 9C 2C BC 99 4A 6A 52 E3 94 D8 9B 8E D9"

The process %original file name%.exe:332 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 8C D6 17 17 0F F9 F5 D3 42 86 21 54 D9 2C 3D"

The process %original file name%.exe:1920 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 B2 87 7D 7C 2C 59 39 B9 E3 26 01 85 CA B8 AB"

The process %original file name%.exe:3380 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 AC 11 16 8C A7 EA 5D C1 AA 66 51 A0 D5 A7 BA"

The process %original file name%.exe:3824 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D FE 51 E8 0B F5 B0 8B 28 94 28 AC 5F 42 28 AC"

The process %original file name%.exe:1924 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 14 18 26 FF 49 D9 27 F7 35 A0 74 F1 79 84 9E"

The process %original file name%.exe:2548 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 04 55 71 CF 6D 20 0D A1 3B 05 80 7C E9 F2 BA"

The process %original file name%.exe:3308 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 B9 A3 B0 29 15 2A 20 FC D6 25 47 6A 26 41 BD"

The process %original file name%.exe:3736 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 8D AA 85 15 D0 0A DC B8 60 65 BA 55 2D 4D 1E"

The process %original file name%.exe:3164 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 77 DA 07 D1 36 50 07 F6 4F 4E E1 7B 7A 1E 23"

The process %original file name%.exe:2896 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 6F 9C CC 78 C8 BE 1E E9 6C F4 C6 0E 23 BA 65"

The process %original file name%.exe:2196 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 89 04 BA 36 32 FF 63 AE 8F 88 6B 1D 2B 0F 2C"

The process %original file name%.exe:1208 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 36 FE 77 85 AF 9F 80 30 72 59 76 43 33 86 BF"

The process %original file name%.exe:4008 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 03 CD 64 B1 50 C2 FB 9B 32 6F 08 21 33 7D 0E"

The process %original file name%.exe:2344 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 F7 C3 CD 69 99 B5 A5 59 28 FA 36 DA CD 8F 4F"

The process %original file name%.exe:1908 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 82 F5 32 CF D8 EF FB BF 44 55 30 A6 E2 80 DD"

The process %original file name%.exe:2540 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 B3 53 75 7E 6C A0 20 44 CC 93 AF 59 06 2C 4C"

The process %original file name%.exe:3472 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 F3 A6 7E E4 84 56 84 97 1A F4 C8 7D AC 65 A5"

The process %original file name%.exe:2544 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 1B 48 C4 37 CF C9 4B A2 1B D4 B6 5C F7 3B 75"

The process %original file name%.exe:668 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 7E B7 B5 43 A7 A1 CC 86 0C 6E F5 C0 C1 F7 1B"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process %original file name%.exe:3100 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 DF CA 71 D8 67 96 90 82 01 EF 36 49 37 67 A5"

The process %original file name%.exe:3516 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 1F A2 D0 2F C7 8C C5 3A 7D AB C4 74 F4 F7 87"

The process %original file name%.exe:3256 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C BC 3E E6 E8 E3 BA E8 53 EE C0 4B F2 91 70 5E"

The process %original file name%.exe:2984 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 DC B9 DF 1F B2 DB CD D3 C8 55 3E F4 AD 89 5A"

The process %original file name%.exe:656 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 AC 31 34 67 1A D2 59 77 1F CF D0 62 57 21 A7"

The process %original file name%.exe:2380 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 37 AB 2E 0B 40 D3 BF 3B D8 1E 07 2C FD E1 A1"

The process %original file name%.exe:2268 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 63 C8 22 12 20 2B 52 80 8D 73 D1 04 C8 21 58"

The process %original file name%.exe:652 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 B9 A3 18 6A 12 92 21 99 E7 00 EA 6E 84 A1 5F"

The process %original file name%.exe:1468 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 33 44 B1 23 D0 78 09 71 0F 95 25 FD 9D 1B 8C"

The process %original file name%.exe:2244 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 65 72 3F ED AA 22 2F 4E 32 AB F3 D6 FA F9 00"

The process %original file name%.exe:1652 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 BD 7A 3A 19 FE F4 A1 88 92 4D E9 9D CF 38 F2"

The process %original file name%.exe:2748 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 35 7F D3 30 A3 BB F4 9D 43 5C 48 00 54 53 60"

The process %original file name%.exe:1676 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 0B BD 75 D3 76 A9 0F 83 5A 73 F6 48 D8 DB 43"

The process %original file name%.exe:2364 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 50 DF 5B 22 ED 3C CA B6 44 7A C5 80 3A 7A 98"

The process %original file name%.exe:2076 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 38 3F C0 94 38 78 4F A2 0F 66 A4 6E 75 68 2F"

The process %original file name%.exe:2264 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C E3 D3 09 A1 DE 99 B8 39 B6 0C 04 67 C3 0D A0"

The process %original file name%.exe:2668 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 98 30 00 CB DF 10 5B 6D 87 B7 26 60 4F BD 99"

The process %original file name%.exe:2428 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 2F 10 AC B4 FE B4 BD AA C3 42 07 3D 4B 89 F6"

The process %original file name%.exe:3664 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 A0 B7 11 78 97 BC 63 B6 47 DE A0 82 24 96 A1"

The process %original file name%.exe:3836 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 A1 A1 A7 58 DD 00 B6 61 53 D9 D1 15 BF 59 E5"

The process %original file name%.exe:336 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 2F 79 1B F1 1E B1 00 A3 3B 63 D4 12 CB 07 4F"

The process %original file name%.exe:2280 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 70 C6 B8 4C B7 2D 34 1C B3 2D 0A AA 1C 60 C0"

The process %original file name%.exe:3596 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 50 53 DF E7 65 6B 2D 96 44 8A 6C 74 4E 03 63"

The process %original file name%.exe:3608 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 4C FB 70 BC AF 70 AF BE FC 2A B5 DE 32 C5 77"

The process %original file name%.exe:304 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 D3 20 13 72 8E 21 AE B8 0B E3 0B BB D6 A7 D5"

The process %original file name%.exe:1932 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 64 BE 61 C7 64 5B 83 EF CF 25 31 32 B3 BC B7"

The process %original file name%.exe:2856 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 E1 30 E4 13 C3 CA FE B3 93 73 A9 58 DB 5F A4"

The process %original file name%.exe:1048 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 D3 2A C0 FA 8C 48 3F BF 95 EE 1F A1 04 00 BA"

The process %original file name%.exe:244 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D E4 33 F8 03 E7 FE 3E 32 14 C4 C4 9D 09 4E AC"

The process %original file name%.exe:1148 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF FA 25 0A 05 89 52 93 5B FC 10 52 A8 A6 BA EF"

The process %original file name%.exe:1956 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 C9 6C 6E 77 DF F4 99 EC C1 D5 C3 5E B3 78 33"

The process %original file name%.exe:3404 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 67 41 30 D3 7D E0 7F 49 D5 00 9A 95 D7 B9 62"

The process %original file name%.exe:3056 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 8D F9 90 6C 28 2F A6 D3 67 05 AC 11 A3 CB 4F"

The process %original file name%.exe:2632 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 4A 43 8C E4 F4 C4 FE ED A5 12 56 AB E0 EC C3"

The process %original file name%.exe:248 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 E1 91 CA BB 73 22 48 00 FD 37 53 00 CD D6 0A"

The process %original file name%.exe:644 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D A4 AA AB 04 C9 CD 9A 88 EA CC 06 F2 FA 1B F5"

The process %original file name%.exe:3880 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 52 B0 14 B1 A5 0C AF DA 28 F9 58 C5 96 92 A2"

The process %original file name%.exe:1644 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 51 28 53 0A 4A 9E 20 56 65 91 D5 02 7B 7B 8D"

The process %original file name%.exe:2640 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 BD CB 76 40 66 F5 9F 88 E7 7E A8 13 B5 65 CE"

The process %original file name%.exe:3540 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 CC C3 FD EA 4B A0 23 EF 03 53 6F 86 DA B5 11"

The process %original file name%.exe:3448 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 C7 B7 2E 4B 86 52 2A DE 6A 32 10 DD 96 96 09"

The process %original file name%.exe:3564 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC EA 5E 62 96 EA 2D 8B F6 E0 0D 25 D4 56 80 AF"

The process %original file name%.exe:3152 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 F1 52 38 E3 06 DE 66 E6 9C 2B 87 58 9F B0 69"

The process %original file name%.exe:3500 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 57 85 58 13 79 3F 88 FB 20 86 97 26 E8 35 9F"

The process %original file name%.exe:2492 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 48 BD 04 BC E5 30 4A FE 17 2F 30 2A C6 75 25"

The process %original file name%.exe:1288 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 64 34 36 C7 AE D2 38 F2 1D 5F C5 3E 28 3C 66"

The process %original file name%.exe:536 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 6A E3 D7 E1 B2 3B D7 D4 25 3E F3 D4 3A 01 57"

The process %original file name%.exe:2752 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 48 00 44 E7 BB 3D DC C5 F1 9B C2 A9 83 41 04"

The process %original file name%.exe:352 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 15 FA B0 A2 BF E8 4E 79 3A 04 FC 5E CA FE DC"

The process %original file name%.exe:2416 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 89 88 90 E8 67 2C D0 CC 62 3B 78 4F 62 FB 71"

The process %original file name%.exe:296 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 A3 C7 64 6A B0 66 99 FF 45 72 F9 20 F4 28 A8"

The process %original file name%.exe:2376 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 6D 72 E2 4F 24 E6 48 62 20 5F 20 A4 21 32 D4"

The process %original file name%.exe:2104 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 34 D6 8A 33 5F 65 D1 92 1B 29 8E E9 EA CC CA"

The process %original file name%.exe:3820 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 02 43 15 19 E0 9B 6F 79 87 CA 27 E4 30 8A 31"

The process %original file name%.exe:2148 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 3D F4 49 8A 5D 19 B8 C9 62 A2 E5 EE E4 A1 05"

The process cscript.exe:1128 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 8D 71 B9 95 66 1D B3 02 C5 EC 25 97 B0 34 41"

The process cscript.exe:2616 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 70 D8 D2 64 39 F2 58 06 A6 BB 01 3E 99 C3 F1"

The process cscript.exe:2736 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE C2 54 17 CB C1 2D 96 88 C5 36 49 E7 30 73 FF"

The process cscript.exe:212 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 A8 84 1A D4 08 D1 CB D9 4A F6 AA B2 E4 30 2F"

The process cscript.exe:3808 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 80 1F 99 80 70 15 22 91 F1 40 C8 BD F7 8D 2B"

The process cscript.exe:2592 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 CD 46 D6 DB DD DF 41 2F 51 F7 AF B0 63 81 DE"

The process cscript.exe:1080 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 38 32 51 F3 10 E5 6E 02 72 6A 3C 3B 57 0D 99"

The process cscript.exe:1328 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 9E 79 35 88 F1 4D FC 97 FD A0 4B F9 AD 7F CD"

The process cscript.exe:1260 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 7F EB 15 64 E6 AB 21 94 1B 92 54 0E 80 93 73"

The process cscript.exe:3060 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 35 EA 31 3F A8 23 D1 AE E1 56 9B 1C 5A 01 5F"

The process cscript.exe:3272 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA F1 4A 95 F9 3D E3 01 42 DB C2 B8 D7 41 00 60"

The process cscript.exe:3256 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 E1 9D AF DC 7C 88 9E 2B 2E 7A 66 E4 08 A1 60"

The process cscript.exe:1908 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A B0 0D 2D 34 D8 CB 9D 5A 07 9D BE C2 6A EC 53"

The process cscript.exe:2824 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 C1 8B D2 6C FE E3 B7 20 97 38 FC C0 9B FF BE"

The process cscript.exe:4084 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 81 77 FA C0 70 1C F7 29 AA 4C 65 56 8B 5A DD"

The process cscript.exe:1896 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 85 87 E5 73 A8 0C E4 16 8E 4A AC 4B 32 5E B6"

The process cscript.exe:3208 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A E5 C3 BB 20 BB CF 2A 21 3C 15 AB 68 8E 5B 51"

The process cscript.exe:2928 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B E4 2B 3E 70 A7 4D 19 A4 7A B1 DE 69 5B 06 63"

The process cscript.exe:172 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 C5 8D 9A BE 92 26 9E A0 E8 1A 1B B3 10 55 9F"

The process cscript.exe:2940 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 91 FC 68 7E 0F 36 CD 8B C2 25 B3 AD 36 79 83"

The process cscript.exe:2344 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 34 7C 61 82 75 79 E4 1C EE F4 EE B0 17 A2 5F"

The process cscript.exe:3476 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 0E AE B9 55 4B EF C4 36 68 55 6F 81 FB BF 55"

The process cscript.exe:3644 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 6A FC 94 4C 6A A3 33 09 26 31 C7 10 0A 22 07"

The process cscript.exe:3108 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC E5 64 08 29 BC E0 6C 08 28 9C A8 D1 28 12 B1"

The process cscript.exe:2340 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 72 FF 40 89 B0 C3 24 B9 7B 73 67 7C 10 48 06"

The process cscript.exe:3380 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 A6 5A FE 40 68 56 06 C0 07 ED 7C 8A E9 5C 58"

The process cscript.exe:2056 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 75 A9 B9 CA 3F 6D 71 2D 82 17 8D 29 43 B1 8D"

The process cscript.exe:4000 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 B8 84 ED 0C 4E B7 CE 49 E4 F9 1B F3 38 78 C7"

The process cscript.exe:256 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D F6 4B EF 05 AA 79 5E 53 1E D9 25 6C 82 41 4C"

The process cscript.exe:2224 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 57 8F BE 67 9A F3 3B 49 3C 8A 2E E0 19 63 9F"

The process cscript.exe:3796 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 15 0E 66 51 3E 9F 88 B5 09 71 B8 42 85 E0 E6"

The process cscript.exe:2304 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 70 2A 86 BE 49 90 15 4C 9A 26 55 61 AD 16 8D"

The process cscript.exe:1944 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 B3 A0 34 33 5A AD A8 CE 53 30 2A AF F4 A9 2F"

The process cscript.exe:3588 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 05 5C 5E D7 9B 19 F8 1E 4D 90 F1 24 3C 69 87"

The process cscript.exe:3972 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 58 5D 1A 6E 39 6D 0E 79 97 62 7B 76 2A C2 43"

The process cscript.exe:2684 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 A0 DA F2 96 89 7E 98 8B 6A D1 A2 A4 FD 8B 84"

The process cscript.exe:1476 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 B3 CC 51 E7 95 9E 6F 7E 79 10 1E B4 E4 A2 8D"

The process cscript.exe:1676 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 DF E0 B0 BE 9A CE A2 31 A3 4F 36 3B E0 04 84"

The process cscript.exe:2364 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 C9 2F C9 03 94 69 6F 97 79 C9 CB F4 2C DD 16"

The process cscript.exe:3896 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 51 AE 56 10 D7 CB 4C AE 5B 7E 54 A2 15 D8 A3"

The process cscript.exe:3928 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 88 D2 0A 04 45 8C 0F 8E DB 58 B3 9C 5D FA FD"

The process cscript.exe:2500 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 BD CA 7F 9D 29 73 49 24 AF E1 BA 6C 35 D4 37"

The process cscript.exe:2080 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 1D 9E 6A FA 71 C3 C0 56 74 74 E8 8B 75 35 9F"

The process cscript.exe:2620 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 36 8B 49 54 3E 7E 56 07 C5 F9 B3 64 4F EA C6"

The process cscript.exe:2456 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 BD 98 31 05 1E 6F 1F F6 A7 D4 E1 EC AC 84 6D"

The process cscript.exe:2876 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA A8 9C 5D 36 74 5F E0 F3 62 2C 4B 1D CC 69 08"

The process cscript.exe:4092 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 1B B6 1F 55 31 6F 71 39 40 DA AF 60 23 4F FF"

The process cscript.exe:3384 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 96 25 C6 5A 4C F4 2C 12 0B 71 F6 29 55 DC 76"

The process cscript.exe:2936 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 6F BE DE 6C 74 5B FB B1 A8 6C 0B 64 DA 93 21"

The process cscript.exe:1336 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 DA 56 3B 61 EC 92 F7 26 9B 26 6A C8 6E 30 75"

The process cscript.exe:1796 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 0A B9 F4 66 32 39 B7 F2 86 5E 34 80 60 69 28"

The process cscript.exe:3876 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 25 9E FA C0 A5 45 8E 57 0F 9B 2F 0F 71 88 E8"

The process cscript.exe:1152 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 87 C8 18 AB D2 A8 18 67 00 95 17 0C 1A 9A 79"

The process cscript.exe:3708 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 51 40 F7 87 1D 86 C3 E5 A7 49 26 E4 76 C3 DD"

The process cscript.exe:2484 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 2D AC 0D 4D 55 3A 8F F9 A3 AF 48 35 1B 99 DC"

The process cscript.exe:1800 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 1D 33 C2 DC 5D 85 D1 0C 2F 9A 3C 19 E5 52 92"

The process cscript.exe:3648 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 76 4D 6F EC 1D 05 66 7E 00 30 88 B6 58 61 E8"

The process cscript.exe:3268 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 58 C5 F8 A1 38 29 2E B0 F0 95 EB 66 E7 51 E9"

The process cscript.exe:2728 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 C5 C3 2C CB AC BC 8E 2B 64 3A 69 E5 41 77 D8"

The process cscript.exe:3176 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 13 8F 11 48 A3 B7 23 DA 21 3E 29 B8 4B A2 4D"

The process cscript.exe:3508 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 6C CD 43 C5 C1 2F C1 10 62 73 35 29 A0 35 2C"

The process cscript.exe:2088 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 83 CA AF 86 B9 62 A3 66 38 63 56 39 59 2B 20"

The process cscript.exe:1636 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 EE F9 F0 BA 53 B7 3C 97 D9 B5 D3 E9 A0 F5 B0"

The process cscript.exe:2768 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 45 B4 BB 26 D6 03 22 2A 31 96 BA 9B F0 0F 05"

The process cscript.exe:3460 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 A9 22 09 78 95 74 09 70 D8 66 14 14 7D EC DE"

The process cscript.exe:3036 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 F0 FF DB 72 A1 45 4F 94 AD A4 82 B9 6A F3 76"

The process cscript.exe:2232 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 21 BF 93 EE C4 51 29 C8 25 90 17 D5 1C 05 46"

The process cscript.exe:4072 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 37 06 05 BE 7E 37 61 62 9B 75 38 14 9B 53 DD"

The process cscript.exe:2108 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD AE 5E CE 32 9F 6A 68 FF 7D FE 0D 75 DB 8A 7C"

The process cscript.exe:3988 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 AF 0F 29 76 45 03 11 80 2F 7D A6 A8 5D CF C9"

The process cscript.exe:532 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 54 A1 B9 DA EF 1B 20 64 17 AD AD C4 47 76 9C"

The process cscript.exe:412 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 D4 B4 32 14 A2 AB CF 5F 3C 27 61 C9 77 C0 FD"

The process cscript.exe:3164 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 3A A2 33 94 90 26 C6 FD A0 D6 2A 23 14 30 64"

The process cscript.exe:2164 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F DC 97 3A 59 4C 8C A2 C8 22 A8 A0 4C 48 1A E6"

The process cscript.exe:2376 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 E5 8E 36 75 19 68 C4 6F A4 81 B1 03 A1 C0 7A"

The process cscript.exe:1664 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 84 76 F5 A5 7C 87 E8 2D 3A 8A 2A 1C 52 30 34"

The process cscript.exe:2536 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 8E 7A 51 4D B8 A4 8B 2B CD 81 4E EA 12 49 75"

The process cscript.exe:1724 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 A7 B9 7D AB 99 32 BA D4 CE A2 5B 03 88 3D 61"

The process cscript.exe:3484 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 EA 82 62 42 F5 43 C0 37 5A 30 FC 60 91 99 0B"

The process NesIMIQs.exe:900 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 4A E3 D4 37 0F E7 5C 77 C9 3E 01 E8 8E 9A 19"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

Dropped PE files

MD5 File path
eeccdd01230bb37eb0c767e49b11ed7cc:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
f45e1294419b8aca97b657cee037c610c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
27cb1a980975cb948595cc3e70c1f6f3c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
43222b87ac768b77407d383d36f51fbac:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
9ad261edfb75f9a810e61c3180e5e709c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
a78954af15f664ca286860857c200e82c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
546c6a60505dd4da655381faec2ff3b4c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
c9cb495916cc35ccba73b57e977e6106c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
2326a9045d2a571bd30e0b6d1c0567e5c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
b9c654d06ee4d2d91cb544ca10b1da2dc:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
5211c1df56f896fa4059e35fabbe50e0c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
05163c31513e3a5e6c40265659c32078c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
b11512faf60df7fd92b903cc7d949db6c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
4c43cc2353c9d65b36a0bea73810652ec:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
468c28c82bb2c1a32f57e2d5915165fcc:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
5a8949789b138d4c6396895a27dcef33c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
54f876f02fcba682260e37346101508fc:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
a3f01934ad24569893ff116325808a99c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
2c5a1793a44f5fae088cc673b5758914c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
fea0ef930d2c6b8efac142949cbe5076c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
8446d5cf640280b0253d4416458e5764c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
400c84dfc2b0f3f140dda0daf7401254c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
601a3ca8f792e3227ab860e5f7fcabccc:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
cf4db8b7ab08bb268496151362a26529c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe
70e78ee75b7a81127c8954a156554f23c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
5d954620997e9eda1aa91bb0d1659a98c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
2568b29bb41233c87312a09a93b56ab1c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
33fec18ec898a05aecaafa3825abfcd6c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
aa9df7905a156fb5a15a9c453725196cc:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
1e48331864afbd7ed9e35617d1571a91c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
eb89aab0340b2bc6e2c96afc333f9f41c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
1ecfbdd42f2009471811f9bfd0ddf657c:\Documents and Settings\All Users\JuwEIgUE\reIEcoQI.exe
786abe895e32bff3206fc15698151f80c:\Documents and Settings\All Users\hcYYccwo\NesIMIQs.exe
eb9fec1a65621a45978e0f5f172167b6c:\Documents and Settings\"%CurrentUserName%"\dUskcAww\fGAwoYMM.exe
e54fd1dcd7f657b3c5edc570f151c382c:\Perl\eg\IEExamples\ie_animated.gif.exe
5aeedfd51ced011d2ba6c8e93cd89c49c:\Perl\eg\IEExamples\psbwlogo.gif.exe
fa6af787f7addb954ae8f167a4f79916c:\Perl\eg\aspSamples\ASbanner.gif.exe
d408f1ff4aa54fef102e2368c99dfc6ec:\Perl\eg\aspSamples\Main_Banner.gif.exe
ffe3873e4c367ac936604652fd84d5a5c:\Perl\eg\aspSamples\psbwlogo.gif.exe
61945569b1af44254b4c4ffb90c27b08c:\Perl\html\images\AS_logo.gif.exe
323a4b5698a76b3b3bfc398867b59eccc:\Perl\html\images\PerlCritic_run.png.exe
19fbb60cc60f2fcd49532081feff9023c:\Perl\html\images\aslogo.gif.exe
716b8fa94d80975db6e77cc9b0f33b2ec:\Perl\html\images\ppm_gui.png.exe
a5b1fd4797355326a375957cf0a1d98ec:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe
d9e2ef0365a2e8862817ae1af2cb3cbbc:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe
15b5cc40fe0cb8da4be6161d215a3ebac:\Perl\lib\Devel\NYTProf\js\asc.png.exe
0fe6df2b10827e61640228e4faf34a33c:\Perl\lib\Devel\NYTProf\js\bg.png.exe
f58a1275e557dee25670cb594f2d3bf6c:\Perl\lib\Devel\NYTProf\js\desc.png.exe
ac0ab35545eb2265f9fb5381436613f8c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe
8f0519631bf264b4b89079575b9ad2cfc:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe
b3e83b111c239e5cbe7090cb26d732c4c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe
973654b0ae285574229ade28e3663fcac:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe
4fff02f461eeccc2940944df33709e11c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe
89a004d018873b5f88b5b5bf5e26a411c:\Perl\lib\Mozilla\CA\cacert.pem.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3904
    %original file name%.exe:2964
    %original file name%.exe:3240
    %original file name%.exe:2988
    %original file name%.exe:2960
    %original file name%.exe:624
    %original file name%.exe:312
    %original file name%.exe:2844
    %original file name%.exe:2636
    %original file name%.exe:332
    %original file name%.exe:1920
    %original file name%.exe:3380
    %original file name%.exe:3824
    %original file name%.exe:1924
    %original file name%.exe:2548
    %original file name%.exe:3308
    %original file name%.exe:3736
    %original file name%.exe:3164
    %original file name%.exe:2896
    %original file name%.exe:2196
    %original file name%.exe:1208
    %original file name%.exe:4008
    %original file name%.exe:2344
    %original file name%.exe:1908
    %original file name%.exe:2540
    %original file name%.exe:3472
    %original file name%.exe:2544
    %original file name%.exe:668
    %original file name%.exe:3100
    %original file name%.exe:3516
    %original file name%.exe:3256
    %original file name%.exe:2984
    %original file name%.exe:656
    %original file name%.exe:2380
    %original file name%.exe:2268
    %original file name%.exe:652
    %original file name%.exe:1468
    %original file name%.exe:2244
    %original file name%.exe:1652
    %original file name%.exe:2748
    %original file name%.exe:1676
    %original file name%.exe:2364
    %original file name%.exe:2076
    %original file name%.exe:2264
    %original file name%.exe:2668
    %original file name%.exe:2428
    %original file name%.exe:3664
    %original file name%.exe:3836
    %original file name%.exe:336
    %original file name%.exe:2280
    %original file name%.exe:3596
    %original file name%.exe:3608
    %original file name%.exe:304
    %original file name%.exe:1932
    %original file name%.exe:2856
    %original file name%.exe:1048
    %original file name%.exe:244
    %original file name%.exe:1148
    %original file name%.exe:1956
    %original file name%.exe:3404
    %original file name%.exe:3056
    %original file name%.exe:2632
    %original file name%.exe:248
    %original file name%.exe:644
    %original file name%.exe:3880
    %original file name%.exe:1644
    %original file name%.exe:2640
    %original file name%.exe:3540
    %original file name%.exe:3448
    %original file name%.exe:3564
    %original file name%.exe:3152
    %original file name%.exe:3500
    %original file name%.exe:2492
    %original file name%.exe:1288
    %original file name%.exe:536
    %original file name%.exe:2752
    %original file name%.exe:352
    %original file name%.exe:2416
    %original file name%.exe:296
    %original file name%.exe:2376
    %original file name%.exe:2104
    %original file name%.exe:3820
    %original file name%.exe:2148
    cscript.exe:1128
    cscript.exe:2616
    cscript.exe:2736
    cscript.exe:212
    cscript.exe:3808
    cscript.exe:2592
    cscript.exe:1080
    cscript.exe:1328
    cscript.exe:1260
    cscript.exe:3060
    cscript.exe:3272
    cscript.exe:3256
    cscript.exe:1908
    cscript.exe:2824
    cscript.exe:4084
    cscript.exe:1896
    cscript.exe:3208
    cscript.exe:2928
    cscript.exe:172
    cscript.exe:2940
    cscript.exe:2344
    cscript.exe:3476
    cscript.exe:3644
    cscript.exe:3108
    cscript.exe:2340
    cscript.exe:3380
    cscript.exe:2056
    cscript.exe:4000
    cscript.exe:256
    cscript.exe:2224
    cscript.exe:3796
    cscript.exe:2304
    cscript.exe:1944
    cscript.exe:3588
    cscript.exe:3972
    cscript.exe:2684
    cscript.exe:1476
    cscript.exe:1676
    cscript.exe:2364
    cscript.exe:3896
    cscript.exe:3928
    cscript.exe:2500
    cscript.exe:2080
    cscript.exe:2620
    cscript.exe:2456
    cscript.exe:2876
    cscript.exe:4092
    cscript.exe:3384
    cscript.exe:2936
    cscript.exe:1336
    cscript.exe:1796
    cscript.exe:3876
    cscript.exe:1152
    cscript.exe:3708
    cscript.exe:2484
    cscript.exe:1800
    cscript.exe:3648
    cscript.exe:3268
    cscript.exe:2728
    cscript.exe:3176
    cscript.exe:3508
    cscript.exe:2088
    cscript.exe:1636
    cscript.exe:2768
    cscript.exe:3460
    cscript.exe:3036
    cscript.exe:2232
    cscript.exe:4072
    cscript.exe:2108
    cscript.exe:3988
    cscript.exe:532
    cscript.exe:412
    cscript.exe:3164
    cscript.exe:2164
    cscript.exe:2376
    cscript.exe:1664
    cscript.exe:2536
    cscript.exe:1724
    cscript.exe:3484

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
    C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
    C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
    C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\KAAo.txt (55978 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
    C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
    C:\totalcmd\TcUsbRun.exe (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FSsoUwUA.bat (112 bytes)
    C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NKUsAggo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sqUYgcIw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MwIgkQQc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UsccogcU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EQoEIgAQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SSMUEIMI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HsQwsAIc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UGEUMkUs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BmYkcQcU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EacgAIMA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zoEYUowg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TeYMMwgg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iMAosYIA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iekMYAQE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\teIYoYkw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pqQoMYQY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lAYkoYUk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JYcswMAs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rEkkgMco.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zIkEkAEo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GWAkMokI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qWYkIYQY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NiAoUoEY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sKsEcQYA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\poEYUIog.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MWoEUQkw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pyockIUk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LScEAAsQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ROgYkAos.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NCsgwkAk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JmoYIEsE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YaUckQUE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JoYkUoEg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OikgMAcs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JyUUIgso.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tYkMoAAU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jmEgossI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VYoMIwMs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fUAcIksw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FgEgMcoc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xCsEYgMw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ouMwkoYQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hMosAsEE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mkwkIMww.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nUEsoQcg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QugQUcIQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WucEIMQw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\guUYEkgE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NiwAgQQA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nKYEIggg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WWIMcwcw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VOIcsosY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DWEcEMUA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rUQIIYAg.bat (4 bytes)
    %Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7713 bytes)
    %Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7737 bytes)
    %Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7785 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jeUsEoUo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BgIMAcgc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gQIcYQgQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MkcMssAw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QewMskQY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OOUskAkg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nAIcYsAg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vUcIUogc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NMAwkAgw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kkUMIscQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EQMIoMsE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UkUkwAIY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ROQkoogU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iwsgAQIo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mUUgwAwk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TysUUcgY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JOcYQMIs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LuoQQIAU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oGYMYYcQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cUMsUwIA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pgUgYsEc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\geoUMAUo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pqwMcMYM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cIAkgEEU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xIogkMoQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hewcUUYk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hkogIkAE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ickwgEcw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uWMUYYAY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mGwkYgIM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bGYokksA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xOIUQcMI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dGAwYkII.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\swoYwcIw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dQwIEAcg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MAsMMkwo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SQAIIgcI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\COIQksIo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pqUoEoIU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZUMYsokk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CmEgIcQU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmEEAkwM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CWkcQsww.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OsEgYkcg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JgAQgYck.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EywYsooQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ASQIIgEE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kQUAgocA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QOIYowkA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rUcQkwIk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hGIAYYQs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FEUMUkwo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KsEEwsgg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hwYgEoMo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VKskgQIw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UCUscwEU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MywsQIog.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fkMkUQAE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bokUkwUg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KAEgIUgs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ouAQwsMI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vGcQsYUs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UiMUwAEU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ueUAkIIM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kIYcEwUU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCIUMMUc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SgEogMEs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hOEYYMoI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CGUUQQkA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pOQwUcEI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UmwIQoYA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wssMMIII.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PigogsQs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\biwQEMMA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scQoUQUs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sOYwQYMg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RcIokMEg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vgcIgccQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cisoMAso.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WyAwAkwk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RykEwgAI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OasIgQgw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WqgYsgQM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DQgAggoc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DWUIMUcQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dYcIEAwA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QmgUEQEk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uWEgEEUs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eSoAckcE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZoAYoEEM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VoQYkgAI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BIoIUcgo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DCYcwMEg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sQQcogEI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\augwEksM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wCEoYQYs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GicUsEwA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ymkkkQYY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gOwgkEYU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DkowwcEY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CWkYIwcs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YecMEgsc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PiwowYIQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MEIMcsAA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KwIQkkgA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UOscIYQw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kGcogIcI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iQwIAAQg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wUgcwwgg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SQQoooII.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WeMEoUgM.bat (112 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"

  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40969994249978885.46673ddf341ad5436083a140693c4bfb6d1b1
.rdata100352040965122.156691a86df73d098662b934f073051938761
.data100761635120.042395ec85800a7052112f06e6ebca770ecfe3
.rsrc1011712137215362.3609872c06d53c4b76b025d7bc6f23723f2cd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps