HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.535449 (B) (Emsisoft), Gen:Variant.Kazy.535449 (AdAware), ZeroAccess.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 09c7c108fa1cfa6052d4b24310e3b608
SHA1: 4b6c7cf68cf29ba9977d5ae25bed33835b43e18c
SHA256: 357d4755f12e087e7053c0b31e9c5e39392fd3902a54405afa618a44418bc7fb
SSDeep: 12288:bkISKzR00dmbY/Qi2SiMhdP7G32X9mt0PxdJgtFRmR:bzxN09YYitiMhdTst0PxdJg3IR
Size: 500736 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-06 02:36:08
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1164
%original file name%.exe:308
%original file name%.exe:1268
%original file name%.exe:1160
%original file name%.exe:1144
%original file name%.exe:884
%original file name%.exe:1168
%original file name%.exe:608
%original file name%.exe:1924
%original file name%.exe:1928
%original file name%.exe:596
%original file name%.exe:344
%original file name%.exe:1948
%original file name%.exe:1836
%original file name%.exe:1232
%original file name%.exe:1772
%original file name%.exe:1852
%original file name%.exe:668
%original file name%.exe:956
%original file name%.exe:1568
%original file name%.exe:1500
%original file name%.exe:1372
%original file name%.exe:508
%original file name%.exe:1376
%original file name%.exe:916
%original file name%.exe:348
%original file name%.exe:1012
%original file name%.exe:2012
%original file name%.exe:568
%original file name%.exe:1092
%original file name%.exe:772
%original file name%.exe:616
%original file name%.exe:1136
%original file name%.exe:588
%original file name%.exe:316
%original file name%.exe:168
%original file name%.exe:240
%original file name%.exe:228
%original file name%.exe:1968
%original file name%.exe:248
%original file name%.exe:1640
%original file name%.exe:908
%original file name%.exe:1456
%original file name%.exe:828
%original file name%.exe:648
%original file name%.exe:820
%original file name%.exe:1368
cscript.exe:1128
cscript.exe:216
cscript.exe:1144
cscript.exe:1952
cscript.exe:1124
cscript.exe:316
cscript.exe:1920
cscript.exe:1924
cscript.exe:1548
cscript.exe:1832
cscript.exe:1968
cscript.exe:1772
cscript.exe:1852
cscript.exe:1944
cscript.exe:1568
cscript.exe:320
cscript.exe:188
cscript.exe:916
cscript.exe:348
cscript.exe:408
cscript.exe:308
cscript.exe:448
cscript.exe:1360
cscript.exe:1132
cscript.exe:564
cscript.exe:1796
cscript.exe:1956
cscript.exe:1888
cscript.exe:1912
cscript.exe:1016
cscript.exe:1880
cscript.exe:860
cscript.exe:908
cscript.exe:1768
cscript.exe:808
cscript.exe:1100
cscript.exe:648
cscript.exe:1760
cscript.exe:1740
cscript.exe:1368
cscript.exe:516
The Trojan injects its code into the following process(es):
fGAwoYMM.exe:1752
reIEcoQI.exe:1364
NesIMIQs.exe:644
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process fGAwoYMM.exe:1752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7971 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (3073 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (3073 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (31071 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (3073 bytes)
C:\totalcmd\TCUNINST.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (4185 bytes)
C:\totalcmd\TcUsbRun.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5873 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (3073 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
The process %original file name%.exe:1164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\liIkUwcA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kmkkEcoc.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ikUMYwwA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LMoEkcUA.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\liIkUwcA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ikUMYwwA.bat (0 bytes)
The process %original file name%.exe:308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\eaYEsYkU.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RWEkQAwE.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RWEkQAwE.bat (0 bytes)
The process %original file name%.exe:1268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sewEIoMs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RukAsUwQ.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sewEIoMs.bat (0 bytes)
The process %original file name%.exe:1160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hYcIkoEU.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pUEMIcYk.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hYcIkoEU.bat (0 bytes)
The process %original file name%.exe:1144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MIgcEkcI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bIIsAMoA.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bIIsAMoA.bat (0 bytes)
The process %original file name%.exe:884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ysQMcIAE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\niwIAAYo.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ysQMcIAE.bat (0 bytes)
The process %original file name%.exe:1168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\yMwYMUkE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CskoIEgo.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\yMwYMUkE.bat (0 bytes)
The process %original file name%.exe:608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KUYQQQcI.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LcAQkgYw.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LcAQkgYw.bat (0 bytes)
The process %original file name%.exe:1924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oMsAUgMA.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\emoIUMEI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\emoIUMEI.bat (0 bytes)
The process %original file name%.exe:1928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YOYwwkEE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XMgUUwoc.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YOYwwkEE.bat (0 bytes)
The process %original file name%.exe:596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\acgscQIg.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RswoYwUg.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\acgscQIg.bat (0 bytes)
The process %original file name%.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OSQYAkIc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vuMcswUE.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OSQYAkIc.bat (0 bytes)
The process %original file name%.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AMcUwIUw.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vywgEQsE.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vywgEQsE.bat (0 bytes)
The process %original file name%.exe:1836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oswMkgcc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GOIYgskU.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oswMkgcc.bat (0 bytes)
The process %original file name%.exe:1232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mkoYEMYk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IaQQYAUw.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mkoYEMYk.bat (0 bytes)
The process %original file name%.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EsQwwYsw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QckMUQkM.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EsQwwYsw.bat (0 bytes)
The process %original file name%.exe:1852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WecIYIwo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vmwwIsAo.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vmwwIsAo.bat (0 bytes)
The process %original file name%.exe:668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pCMossQI.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fSggkEUs.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fSggkEUs.bat (0 bytes)
The process %original file name%.exe:956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\FYwcMAYw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CWQsowMU.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\FYwcMAYw.bat (0 bytes)
The process %original file name%.exe:1568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LOIQcQos.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RkcIcoME.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RkcIcoME.bat (0 bytes)
The process %original file name%.exe:1500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NYcUMYso.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hqcMkAoI.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hqcMkAoI.bat (0 bytes)
The process %original file name%.exe:1372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YmcggMcs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lEkAsoEM.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YmcggMcs.bat (0 bytes)
The process %original file name%.exe:508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WIMIAIcI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DCUkUIcQ.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DCUkUIcQ.bat (0 bytes)
The process %original file name%.exe:1376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mmsoYwgk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\seMIkoEU.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mmsoYwgk.bat (0 bytes)
The process %original file name%.exe:916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qWIkYoIc.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TwQcoEsA.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TwQcoEsA.bat (0 bytes)
The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MIsEAoUI.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qecEEccM.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qecEEccM.bat (0 bytes)
The process %original file name%.exe:1012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pQUgccow.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MmcMUMsM.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pQUgccow.bat (0 bytes)
The process %original file name%.exe:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UGIEQsgM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ouQosYYw.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UGIEQsgM.bat (0 bytes)
The process %original file name%.exe:568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xMkwEIoY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SOIUEAAs.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xMkwEIoY.bat (0 bytes)
The process %original file name%.exe:1092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LGEQcoUY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YYMQssoU.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LGEQcoUY.bat (0 bytes)
The process %original file name%.exe:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OMsoQMwc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fwsYQMAw.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OMsoQMwc.bat (0 bytes)
The process %original file name%.exe:616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\uuYIkMUw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FucYMoAY.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\FucYMoAY.bat (0 bytes)
The process %original file name%.exe:1136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\eYUgMogY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zWwoocAE.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\eYUgMogY.bat (0 bytes)
The process %original file name%.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GCQYUIsk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MoEwQUsQ.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GCQYUIsk.bat (0 bytes)
The process %original file name%.exe:316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ZacsIQsg.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DScQwgEE.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DScQwgEE.bat (0 bytes)
The process %original file name%.exe:168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YywcYwos.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pawsAQQM.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pawsAQQM.bat (0 bytes)
The process %original file name%.exe:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EuQgUggc.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZSkQAwwo.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ZSkQAwwo.bat (0 bytes)
The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3201 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (3249 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (4057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UOooMgIo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dQskgIMs.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dQskgIMs.bat (0 bytes)
The process %original file name%.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CkgIsUQA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hosIAkIA.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CkgIsUQA.bat (0 bytes)
The process %original file name%.exe:248 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jyYEcYIQ.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cMcEMgUY.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cMcEMgUY.bat (0 bytes)
The process %original file name%.exe:1640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IccEIUgI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sekQscYo.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IccEIUgI.bat (0 bytes)
The process %original file name%.exe:908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oEsUUcgM.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LMgIIccc.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oEsUUcgM.bat (0 bytes)
The process %original file name%.exe:1456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OmAokUso.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZcYEsgkU.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OmAokUso.bat (0 bytes)
The process %original file name%.exe:828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TyQskEkI.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xoQYsgAY.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TyQskEkI.bat (0 bytes)
The process %original file name%.exe:648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yeIUUUYo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NssooooA.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\yeIUUUYo.bat (0 bytes)
The process %original file name%.exe:820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IYMAIkQw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UKAcYYQg.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IYMAIkQw.bat (0 bytes)
The process %original file name%.exe:1368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\wMgMMAIg.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pUcAEwIQ.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pUcAEwIQ.bat (0 bytes)
Registry activity
The process fGAwoYMM.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE F0 7A D2 63 33 90 CD 54 03 71 49 78 16 F9 DC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
The process reIEcoQI.exe:1364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 FF 72 FF 16 56 67 F4 A7 F5 E6 76 A8 44 5B C4"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process %original file name%.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 08 CA 94 AF 37 06 A0 67 97 CC 87 E4 C5 A4 50"
The process %original file name%.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 13 B0 62 A3 71 4B FF 58 FB 53 81 01 01 B6 10"
The process %original file name%.exe:1268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 8D E7 7D 26 BB A3 A8 76 C6 71 FC 38 E2 EA A6"
The process %original file name%.exe:1160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 66 AE F7 78 4A DC BA 2B 7F EA 9E 9C 2D D2 7B"
The process %original file name%.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 FF CE E1 32 20 92 96 2A 94 99 35 05 37 D1 44"
The process %original file name%.exe:884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 28 94 62 67 78 12 47 E6 17 CB 93 9E 8D EA 4A"
The process %original file name%.exe:1168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 12 CC 8B 2F 23 90 9E 0D 2E D6 0B 9E 2B 35 C0"
The process %original file name%.exe:608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 F4 57 AA 8D CB 90 1A 44 85 F8 F8 42 14 AE 52"
The process %original file name%.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 32 E7 25 2E 3A 6F DA AD C7 7B A9 AE DE BF C7"
The process %original file name%.exe:1928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 95 7C 4F 9B 1D 56 8F 62 94 13 0C A0 CC BA DC"
The process %original file name%.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC A3 88 77 66 62 B7 AF D4 4B 2A 2A 21 8E 75 7B"
The process %original file name%.exe:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 31 CD 15 96 D8 2C E8 D9 83 3B 3F 2F 09 DF CD"
The process %original file name%.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 3F 2B 56 7B EA 9C 11 F1 FA 41 1C 1F 11 B7 02"
The process %original file name%.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B E9 1D 13 D0 D8 71 3B 7A 37 D4 FA E7 DD CA 61"
The process %original file name%.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 AC E4 E0 66 DF 4E 2F C3 56 9A E4 72 29 6C 5D"
The process %original file name%.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 7B 37 B2 B7 54 4E B5 B7 81 A1 6A C7 A9 25 17"
The process %original file name%.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 0C 4B F4 65 1F C7 12 2C F0 D9 86 75 0F 71 99"
The process %original file name%.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 5F AC 64 A5 54 A7 04 1F 58 DB A0 D0 02 5C FF"
The process %original file name%.exe:956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF B1 21 6C 6B 33 DB B6 E8 42 C3 3C 53 B6 E2 4D"
The process %original file name%.exe:1568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 98 8C 4E AB E7 59 3E 12 F2 1F 5C F8 2A DD 4D"
The process %original file name%.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 CE 8B 78 20 01 48 BE 2B 1E 26 3B AE 15 2D 53"
The process %original file name%.exe:1372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 6C 58 F5 CE CB 40 B6 AA E8 67 1E 28 9F 7C E2"
The process %original file name%.exe:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 0A 2D F4 43 8B 76 1C 3B 59 BC 00 E2 52 0F 07"
The process %original file name%.exe:1376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 3B E2 FD 03 31 CC 0E D6 0B F8 6B 25 12 56 39"
The process %original file name%.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA C1 E5 44 6B 15 50 B7 59 AF 19 70 85 FF 8C CA"
The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 76 0B FA BE 18 B3 F7 35 3F 33 DE 5D 18 33 E2"
The process %original file name%.exe:1012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 67 B3 FB 42 F3 2A 55 CD 6A 6B CA 1C EF 9E EC"
The process %original file name%.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 4B 85 60 CC 1B C6 E5 43 29 9F 47 B4 E8 02 A5"
The process %original file name%.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B F9 6B 86 CD 13 5E 18 A2 5E F0 0C 25 29 2E 50"
The process %original file name%.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 40 AF 25 FE 17 AE 71 A0 16 EF 93 DB 30 A5 D5"
The process %original file name%.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 9B 2B 46 16 4E 1A 5A 62 E9 62 1C 09 C0 F5 3E"
The process %original file name%.exe:616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 C6 E6 97 86 01 45 B2 4E A0 3D 29 16 CD EE 09"
The process %original file name%.exe:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 0F 9D 62 16 AC 78 54 69 9B CC 2A 89 B2 1B 66"
The process %original file name%.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 42 84 D6 0E 7A 3C 3B AA 70 88 06 17 63 D2 1C"
The process %original file name%.exe:316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 6D 99 E8 0A 39 91 FB 24 66 F7 7D 81 58 8B 37"
The process %original file name%.exe:168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 7F 5B 51 A1 4F 59 DF A0 45 F3 17 C3 E1 73 AB"
The process %original file name%.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 39 84 9D C4 D1 FC 2C 57 4B 60 D4 B4 CD AA 34"
The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 69 7B 6F 44 F6 B5 2B 9F 2A F7 7D 20 62 56 A7"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process %original file name%.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 C9 7C EF E6 F1 9F 4C 09 48 A8 02 A1 CA 01 45"
The process %original file name%.exe:248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 DB C8 53 A0 1D B3 77 89 CB 29 B0 6D 17 58 B7"
The process %original file name%.exe:1640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 D1 B2 AC 23 BE D9 A1 33 46 3C 3F F6 C8 64 7F"
The process %original file name%.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 5C 63 52 AB CB 49 C1 7C 1E 9D FA 8E C4 03 FE"
The process %original file name%.exe:1456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 E8 29 F7 90 E0 9F BF 98 07 21 8F 82 F9 C6 12"
The process %original file name%.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 F3 2A 70 16 AB 31 5A 0F A0 2F 69 4D 03 EE 16"
The process %original file name%.exe:648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B E5 BE 32 B5 D6 2A 1F 99 59 FE DF 6C 32 7D A9"
The process %original file name%.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 A8 64 44 C9 DC FC 4F 7D 38 9E 9F 82 9D 08 A5"
The process %original file name%.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 9F 2B 82 A8 A2 B4 15 01 9C A4 45 07 37 69 4C"
The process cscript.exe:1128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 0A 36 7C EB B2 83 EA E3 5C 54 43 91 58 B4 6E"
The process cscript.exe:216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 64 0D 42 30 1A 99 72 2D 2A EF 7C 12 A5 AA F2"
The process cscript.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 81 4D 23 46 D3 39 AF 9C 23 E1 71 15 A7 54 B5"
The process cscript.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 E3 D7 D0 93 8E 5A 20 EF 51 99 80 3B 30 47 6F"
The process cscript.exe:1124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 B2 8E 63 8B 85 57 74 72 5A 36 90 F8 49 30 C9"
The process cscript.exe:316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 32 8C 8C 38 F6 AC E3 10 2D 30 BE C6 38 86 73"
The process cscript.exe:1920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 E9 DE 5A 3B E7 D6 5D 75 CB 94 D9 6F 46 56 18"
The process cscript.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 31 B5 71 7A 19 F2 E8 5E 22 CF C2 A5 51 50 EE"
The process cscript.exe:1548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 B3 31 55 01 1B 73 41 0A 5E BA 2A 32 6D 96 41"
The process cscript.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 B9 66 6C DD 84 DD 96 F7 22 08 C7 E9 05 A6 E5"
The process cscript.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 3F EA 08 E6 BD C6 B0 43 1F 5D 2F 34 47 03 B1"
The process cscript.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 18 10 2A C7 A8 24 A1 75 B8 4A D5 90 DB 2E 3A"
The process cscript.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 33 E5 26 07 6D E0 EB CD 60 B8 E7 C8 5C CC 98"
The process cscript.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 2A 9D EB D7 82 1E 8D 2F 76 EA 69 79 76 A7 3A"
The process cscript.exe:1568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 01 F8 63 EA 11 A6 F3 1F CA 72 26 A2 59 4F 22"
The process cscript.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 1A EE 5B 96 A0 6D 57 4F 97 38 76 F3 22 9D F0"
The process cscript.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 98 20 DC E4 09 2D 5C 98 4E B7 1B 8B BB 20 F3"
The process cscript.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE A3 F8 0E 0A C5 15 FC C1 27 D7 A0 73 71 2C 2A"
The process cscript.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 93 AF 60 B0 06 4D DA BB 37 DE 73 6F 5E 3A 4F"
The process cscript.exe:408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 B0 36 6A 31 77 6C 1E 6F 25 C0 A0 C5 EE DC 87"
The process cscript.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 0A 51 96 7D 69 4A 0C 3D 92 FB B7 57 2A 46 00"
The process cscript.exe:448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 C0 AC 78 C5 8D 04 32 34 0F C5 04 FF 11 6D F7"
The process cscript.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 A2 F1 A2 4D 81 BD CA E7 52 8D 0C D7 C6 50 B2"
The process cscript.exe:1132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 6F B3 91 5B E4 BD 2A 52 69 42 F8 CB 51 32 9B"
The process cscript.exe:564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 CD 57 19 B9 EE 25 DC 69 22 73 EA B4 B6 91 80"
The process cscript.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 69 DD 37 F1 52 19 46 A0 55 AE CA FB 7B 46 E6"
The process cscript.exe:1956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC DD 4D C4 0F FD 75 B3 83 96 43 6B DF 7B 88 89"
The process cscript.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 8F 5A 02 B9 E3 E9 72 38 BB B9 C4 1C FC 37 11"
The process cscript.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 57 63 03 52 38 19 F6 1F 63 6F 4F 9B C5 D9 0A"
The process cscript.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 84 AB D5 B1 FB 6A 27 F3 E8 48 8C 2D 8C B5 86"
The process cscript.exe:1880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 2C 0C 49 61 BC F5 AA 02 C6 82 41 7D A6 BB CD"
The process cscript.exe:860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 B7 2E 8C 79 63 07 60 34 58 5B 7E FE 5F FA C9"
The process cscript.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 74 6E B0 4A D2 E3 F7 2C DB 94 21 BF B6 06 AF"
The process cscript.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 92 A4 85 C5 A7 6C CF 82 67 4C D0 07 E7 79 62"
The process cscript.exe:808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 65 A9 99 A4 0C 69 C2 67 72 75 F9 26 E1 58 77"
The process cscript.exe:1100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 34 45 D4 26 6D A1 FD E3 F3 80 AD A6 58 0B 5B"
The process cscript.exe:648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD B0 5E 38 2E B2 38 3A 6F 87 4A A1 C2 5A 25 01"
The process cscript.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F CC A0 2C D7 16 5A B5 1E B6 47 1C 7E B7 C4 A0"
The process cscript.exe:1740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 B7 35 DE 7C 77 B9 27 BE 19 77 AF 61 0F 1C 77"
The process cscript.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 00 E0 6A 62 52 07 7C 0F A5 F0 B3 55 05 55 27"
The process cscript.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 27 30 AD F7 D8 3E 50 78 C8 3F 24 72 2A AD 7A"
The process NesIMIQs.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC FC 64 5A A3 C7 1D 64 95 59 59 F3 81 80 B0 71"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| de6ae9efebe48d81081a9136ea293554 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe |
| 0d9098cbdc998612d4942fbf07e468c3 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe |
| da498fb064020ffb3dfab4539da2f49e | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe |
| 06ff0b1b98710d70d8076c9ecc771c0d | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe |
| bdf3bc37b7ed653979feb2c37ff9c14d | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe |
| cfa83ef443d0a25de43a3ece1e5bdfe2 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe |
| bbe4dcb30ad27a15a81f68fde9f80aff | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe |
| 21f3fa92a00c33264b41a7f76e46b0d2 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe |
| 58f264b8c01aa0cdcb1b09b5e364c196 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe |
| c0d39ce770b3ee479c5d150e12bdfe3f | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe |
| 2144a336601f535501dd8330b5702c92 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe |
| b941f53247e0fb8996112fe8d36a1f2e | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe |
| 8ab3a96024e2a0825cc26dd772bfd2d6 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe |
| 921544376045d09dda7024c3b0e22ecb | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe |
| ebf30d2713a77dedcdaa3a2b157e6c59 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe |
| 91c9fd72f200358e7b890bf20cd0f935 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe |
| 75ea88186f9013b6dead7a2a17c0392c | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe |
| 4f6e0ee52c3595667eba5e903bf89fdd | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe |
| fff6b7da8f5894dca2444896cbb4430f | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe |
| 0535c53391d32f82431cb6781391a294 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe |
| d68c42ec683835d092fa212b98c9b984 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe |
| c392c0242307cd1cff820af833f96c32 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe |
| 0b7e0938fdfa93e1c1a6d3b2cd544ea5 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe |
| b698b6317584bd31973dabd1099b4164 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe |
| d88d26a4c5698338717d9578ee4f2730 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe |
| 91019daae0d0ec89d1ad89c6a1d06cab | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe |
| e42b1044aa684baf4dc33ae8d940704d | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe |
| 9d2bf09d1cf8021f72b3a69f2c2407ca | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe |
| ea2cbad49bc221d033991f257807d967 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe |
| c570334b5759ebc0ef34b866f541f8d6 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe |
| 1b915eed0cc589956516e15ff43e0fe9 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe |
| 29863128aebe404ecfeee763673ebe82 | c:\Perl\eg\IEExamples\ie_animated.gif.exe |
| 7a900cc83bdb6a1956cf7161b61ab978 | c:\Perl\eg\IEExamples\psbwlogo.gif.exe |
| 9cb679e20480d9be407177f5e83a114d | c:\Perl\eg\aspSamples\ASbanner.gif.exe |
| f8e607c9248525e66bdfe670a4de42eb | c:\Perl\eg\aspSamples\Main_Banner.gif.exe |
| 21ee7d6c9501bc5b3d958f998488d675 | c:\Perl\eg\aspSamples\psbwlogo.gif.exe |
| e80d09a98cb09dccc879c49c338f0741 | c:\Perl\html\images\AS_logo.gif.exe |
| 7b9a90de54948406f1d374392ebdb824 | c:\Perl\html\images\PerlCritic_run.png.exe |
| e3795b40a30a2b98daaa1120934e74d9 | c:\Perl\html\images\aslogo.gif.exe |
| 992fab433c1a3512cb7b76ce558c1651 | c:\Perl\html\images\ppm_gui.png.exe |
| 16a150350a9fb92185332fd396e237ae | c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe |
| 4c840e891b2a2c1ee91cec2aa0f383d8 | c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe |
| efcf1e8642a0149876716286a1e21981 | c:\Perl\lib\Devel\NYTProf\js\asc.png.exe |
| 3ae6868b6b6088c1e10c9c3ce3b9857f | c:\Perl\lib\Devel\NYTProf\js\bg.png.exe |
| 38f8bd6c8070fe8c62ebda2f1eacac8b | c:\Perl\lib\Devel\NYTProf\js\desc.png.exe |
| edfead1bb46e120bebe596b09acaff94 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe |
| 7334cda6907de5c37e6abd56b4ddce78 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe |
| 339009e85f825e0bac0fe4a82d6817d4 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe |
| a81bb3c3eb3ae66ff726725d50a34dc3 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe |
| def1217bdc9ecd5042bc23d6911f7f67 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe |
| 3ded0886cc64c9878affb5ddfe9b6de0 | c:\Perl\lib\Mozilla\CA\cacert.pem.exe |
| d926bfd9deae877f6fcc164cc9b86708 | c:\totalcmd\TCMADMIN.EXE.exe |
| f53c24cc8a7bb1102e83b27fe1399191 | c:\totalcmd\TCMDX32.EXE.exe |
| 4f80d090e1ef1108434e80dc73491666 | c:\totalcmd\TCUNINST.EXE.exe |
| 3cfeab035c2d6ecfc734f7086abc3040 | c:\totalcmd\TOTALCMD.EXE.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1164
%original file name%.exe:308
%original file name%.exe:1268
%original file name%.exe:1160
%original file name%.exe:1144
%original file name%.exe:884
%original file name%.exe:1168
%original file name%.exe:608
%original file name%.exe:1924
%original file name%.exe:1928
%original file name%.exe:596
%original file name%.exe:344
%original file name%.exe:1948
%original file name%.exe:1836
%original file name%.exe:1232
%original file name%.exe:1772
%original file name%.exe:1852
%original file name%.exe:668
%original file name%.exe:956
%original file name%.exe:1568
%original file name%.exe:1500
%original file name%.exe:1372
%original file name%.exe:508
%original file name%.exe:1376
%original file name%.exe:916
%original file name%.exe:348
%original file name%.exe:1012
%original file name%.exe:2012
%original file name%.exe:568
%original file name%.exe:1092
%original file name%.exe:772
%original file name%.exe:616
%original file name%.exe:1136
%original file name%.exe:588
%original file name%.exe:316
%original file name%.exe:168
%original file name%.exe:240
%original file name%.exe:228
%original file name%.exe:1968
%original file name%.exe:248
%original file name%.exe:1640
%original file name%.exe:908
%original file name%.exe:1456
%original file name%.exe:828
%original file name%.exe:648
%original file name%.exe:820
%original file name%.exe:1368
cscript.exe:1128
cscript.exe:216
cscript.exe:1144
cscript.exe:1952
cscript.exe:1124
cscript.exe:316
cscript.exe:1920
cscript.exe:1924
cscript.exe:1548
cscript.exe:1832
cscript.exe:1968
cscript.exe:1772
cscript.exe:1852
cscript.exe:1944
cscript.exe:1568
cscript.exe:320
cscript.exe:188
cscript.exe:916
cscript.exe:348
cscript.exe:408
cscript.exe:308
cscript.exe:448
cscript.exe:1360
cscript.exe:1132
cscript.exe:564
cscript.exe:1796
cscript.exe:1956
cscript.exe:1888
cscript.exe:1912
cscript.exe:1016
cscript.exe:1880
cscript.exe:860
cscript.exe:908
cscript.exe:1768
cscript.exe:808
cscript.exe:1100
cscript.exe:648
cscript.exe:1760
cscript.exe:1740
cscript.exe:1368
cscript.exe:516 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7971 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (3073 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (3073 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (31071 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (3073 bytes)
C:\totalcmd\TCUNINST.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (4185 bytes)
C:\totalcmd\TcUsbRun.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5873 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\liIkUwcA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kmkkEcoc.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ikUMYwwA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LMoEkcUA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eaYEsYkU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RWEkQAwE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sewEIoMs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RukAsUwQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hYcIkoEU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pUEMIcYk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MIgcEkcI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bIIsAMoA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ysQMcIAE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\niwIAAYo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yMwYMUkE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CskoIEgo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KUYQQQcI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LcAQkgYw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oMsAUgMA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\emoIUMEI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YOYwwkEE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XMgUUwoc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\acgscQIg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RswoYwUg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OSQYAkIc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vuMcswUE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AMcUwIUw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vywgEQsE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oswMkgcc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GOIYgskU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mkoYEMYk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IaQQYAUw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EsQwwYsw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QckMUQkM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WecIYIwo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vmwwIsAo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pCMossQI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fSggkEUs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FYwcMAYw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CWQsowMU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LOIQcQos.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RkcIcoME.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NYcUMYso.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hqcMkAoI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YmcggMcs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lEkAsoEM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WIMIAIcI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DCUkUIcQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mmsoYwgk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\seMIkoEU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qWIkYoIc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TwQcoEsA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MIsEAoUI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qecEEccM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pQUgccow.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MmcMUMsM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UGIEQsgM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ouQosYYw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xMkwEIoY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SOIUEAAs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LGEQcoUY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YYMQssoU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OMsoQMwc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fwsYQMAw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuYIkMUw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FucYMoAY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eYUgMogY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zWwoocAE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GCQYUIsk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MoEwQUsQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZacsIQsg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DScQwgEE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YywcYwos.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pawsAQQM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EuQgUggc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZSkQAwwo.bat (4 bytes)
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3201 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (3249 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (4057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UOooMgIo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dQskgIMs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CkgIsUQA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hosIAkIA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jyYEcYIQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cMcEMgUY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IccEIUgI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sekQscYo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oEsUUcgM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LMgIIccc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OmAokUso.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZcYEsgkU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TyQskEkI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xoQYsgAY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yeIUUUYo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NssooooA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IYMAIkQw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UKAcYYQg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wMgMMAIg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pUcAEwIQ.bat (4 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe," - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 495616 | 493568 | 5.50839 | a102da7ab16f7d35b84754ff029724ac |
| .rdata | 499712 | 4096 | 512 | 1.90742 | 00db3b4bac4fd4c90796d9c4f991d10f |
| .data | 503808 | 280 | 512 | 2.84706 | 607b6016384674450e6edebd81225dba |
| .rsrc | 507904 | 4444 | 4608 | 2.85679 | 9d92d0d5f3300d182f67b4c8e3d27e88 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):