Skip to main content

Gen.Trojan.Heur.CqWrbkUYdi_ccf5b7f833


HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Trojan.Heur.CqW@rb!kUYdi (B) (Emsisoft), Gen:Trojan.Heur.CqW@rb!kUYdi (AdAware), ZeroAccess.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: ccf5b7f833da259f527f88aeb3fc4819

SHA1: cb3456f35e6fef02ca0db55e3c8e102f712e6603

SHA256: 414a1dac5068c4836a7fa0c7c757d2704fdcf6eaa49829757c1bcf56c99acbde

SSDeep: 12288:HyyaMF222r8TUw7ZUjmYS8VyvH/w1LUv/LZu:HyyaMF222/nBVy3kK/Ls

Size: 473600 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2015-01-06 02:36:08

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

cscript.exe:1164
cscript.exe:1160
cscript.exe:1952
cscript.exe:576
cscript.exe:1088
cscript.exe:1944
cscript.exe:1928
cscript.exe:1948
cscript.exe:1836
cscript.exe:1424
cscript.exe:1584
cscript.exe:656
cscript.exe:1252
cscript.exe:324
cscript.exe:1016
cscript.exe:360
cscript.exe:2012
cscript.exe:308
cscript.exe:1092
cscript.exe:772
cscript.exe:564
cscript.exe:588
cscript.exe:608
cscript.exe:244
cscript.exe:260
cscript.exe:240
cscript.exe:1888
cscript.exe:1880
cscript.exe:1932
cscript.exe:968
cscript.exe:1820
cscript.exe:1472
cscript.exe:2000
cscript.exe:1388
cscript.exe:1012
cscript.exe:1100
cscript.exe:512
cscript.exe:516
%original file name%.exe:1164
%original file name%.exe:620
%original file name%.exe:1300
%original file name%.exe:1908
%original file name%.exe:1144
%original file name%.exe:624
%original file name%.exe:572
%original file name%.exe:316
%original file name%.exe:552
%original file name%.exe:1920
%original file name%.exe:404
%original file name%.exe:448
%original file name%.exe:1924
%original file name%.exe:276
%original file name%.exe:856
%original file name%.exe:1980
%original file name%.exe:1852
%original file name%.exe:884
%original file name%.exe:1960
%original file name%.exe:1856
%original file name%.exe:956
%original file name%.exe:1408
%original file name%.exe:1252
%original file name%.exe:368
%original file name%.exe:652
%original file name%.exe:1880
%original file name%.exe:1012
%original file name%.exe:308
%original file name%.exe:1948
%original file name%.exe:1092
%original file name%.exe:616
%original file name%.exe:460
%original file name%.exe:1796
%original file name%.exe:168
%original file name%.exe:480
%original file name%.exe:1284
%original file name%.exe:1804
%original file name%.exe:1640
%original file name%.exe:1724
%original file name%.exe:1768
%original file name%.exe:1388
%original file name%.exe:412
%original file name%.exe:1668
%original file name%.exe:1384
%original file name%.exe:1740
%original file name%.exe:820
%original file name%.exe:1368

The Trojan injects its code into the following process(es):

fGAwoYMM.exe:1832
reIEcoQI.exe:320
NesIMIQs.exe:1756

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process fGAwoYMM.exe:1832 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7726 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (2321 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (3073 bytes)
C:\totalcmd\TCUNINST.EXE.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (2321 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (30812 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (2321 bytes)
C:\totalcmd\TcUsbRun.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\KAAo.txt (59668 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3073 bytes)
C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5441 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (2321 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)

The process %original file name%.exe:1164 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zeMYwsYI.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hOokEIwE.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hOokEIwE.bat (0 bytes)

The process %original file name%.exe:620 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mosYYQQQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vuAQQIEU.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mosYYQQQ.bat (0 bytes)

The process %original file name%.exe:1300 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ekoUIEwg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kUcIMsAM.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kUcIMsAM.bat (0 bytes)

The process %original file name%.exe:1908 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GSoUossM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FQgsccwM.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GSoUossM.bat (0 bytes)

The process %original file name%.exe:1144 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SOoAQkcI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UwooUokY.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SOoAQkcI.bat (0 bytes)

The process %original file name%.exe:624 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DsIIIIEc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SWAwkkUQ.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DsIIIIEc.bat (0 bytes)

The process %original file name%.exe:572 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SwMcMIkg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wscgEEEk.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SwMcMIkg.bat (0 bytes)

The process %original file name%.exe:316 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dsYoMMsM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OqsgQEkU.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dsYoMMsM.bat (0 bytes)

The process %original file name%.exe:552 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\haIkQEUI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nCQgcsAE.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nCQgcsAE.bat (0 bytes)

The process %original file name%.exe:1920 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iQwEIwEc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qgAAoMsM.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iQwEIwEc.bat (0 bytes)

The process %original file name%.exe:404 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kakocwYI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\caocwsQk.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kakocwYI.bat (0 bytes)

The process %original file name%.exe:448 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GmMgggko.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WckcooIQ.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GmMgggko.bat (0 bytes)

The process %original file name%.exe:1924 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sUocIUEw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jasYQokc.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jasYQokc.bat (0 bytes)

The process %original file name%.exe:276 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yusAkMok.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FuwEIoIM.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yusAkMok.bat (0 bytes)

The process %original file name%.exe:856 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3825 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (3921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUoYggMk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yaYMoMQY.bat (112 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (3849 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UUoYggMk.bat (0 bytes)

The process %original file name%.exe:1980 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pCoQkgQU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rykgwcIs.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rykgwcIs.bat (0 bytes)

The process %original file name%.exe:1852 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jWMIMcEM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sMoMEsME.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sMoMEsME.bat (0 bytes)

The process %original file name%.exe:884 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KcUEAIEQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WwsMMMos.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KcUEAIEQ.bat (0 bytes)

The process %original file name%.exe:1960 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HYYcwwME.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sWMYEcwM.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HYYcwwME.bat (0 bytes)

The process %original file name%.exe:1856 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CYgYUYMc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XiosYowU.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CYgYUYMc.bat (0 bytes)

The process %original file name%.exe:956 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BuYIMIko.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kYkMkkwM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JmIUkQwk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uKAMwUss.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (56 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kYkMkkwM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JmIUkQwk.bat (0 bytes)

The process %original file name%.exe:1408 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KOgsoMoI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XUswkAow.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XUswkAow.bat (0 bytes)

The process %original file name%.exe:1252 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KOcMYYoM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dwAQkoMI.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KOcMYYoM.bat (0 bytes)

The process %original file name%.exe:368 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SsIIIEYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LQoIMMYg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NWwwIYUc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CmEcsIww.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (56 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SsIIIEYM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LQoIMMYg.bat (0 bytes)

The process %original file name%.exe:652 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IowEgUsc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xCEsoIUw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uWQIAUgg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qYMQkEck.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (56 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IowEgUsc.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xCEsoIUw.bat (0 bytes)

The process %original file name%.exe:1880 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qIQYEscE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UKgoAcEc.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qIQYEscE.bat (0 bytes)

The process %original file name%.exe:1012 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gkckQYQo.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xgskkMUM.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xgskkMUM.bat (0 bytes)

The process %original file name%.exe:308 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fGkMMwoY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AiccQkgg.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fGkMMwoY.bat (0 bytes)

The process %original file name%.exe:1948 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lgEkgAww.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rsMsYogA.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lgEkgAww.bat (0 bytes)

The process %original file name%.exe:1092 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cMEMwEAM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eegIUkAI.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eegIUkAI.bat (0 bytes)

The process %original file name%.exe:616 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tGcQEUoY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSocIsYI.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GSocIsYI.bat (0 bytes)

The process %original file name%.exe:460 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\JuIkcYMU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsUowAwI.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RsUowAwI.bat (0 bytes)

The process %original file name%.exe:1796 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EgIUIsMQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fYYcQIYQ.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fYYcQIYQ.bat (0 bytes)

The process %original file name%.exe:168 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ccUwgwoQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UoYMkwsk.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UoYMkwsk.bat (0 bytes)

The process %original file name%.exe:480 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dQoQIMAM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zEAAsYQU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YkowIEkw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OCgEoIIg.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (56 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dQoQIMAM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OCgEoIIg.bat (0 bytes)

The process %original file name%.exe:1284 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YQEIgcgk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NMYEcgAs.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NMYEcgAs.bat (0 bytes)

The process %original file name%.exe:1804 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\emMMMAkk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RYocEYkk.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\emMMMAkk.bat (0 bytes)

The process %original file name%.exe:1640 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yCAIocMI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tyoIUcYM.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tyoIUcYM.bat (0 bytes)

The process %original file name%.exe:1724 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GOoQEEkY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GQgIEYEs.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GQgIEYEs.bat (0 bytes)

The process %original file name%.exe:1768 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ewwwssgY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mKsYcwAU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fEYoAQso.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lCsYgcsg.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (56 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fEYoAQso.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mKsYcwAU.bat (0 bytes)

The process %original file name%.exe:1388 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QUUkgAII.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TyYEUwEw.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QUUkgAII.bat (0 bytes)

The process %original file name%.exe:412 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\owcUUgck.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KWQAQYkE.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\owcUUgck.bat (0 bytes)

The process %original file name%.exe:1668 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LyQoAkwk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qwwUYYEY.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qwwUYYEY.bat (0 bytes)

The process %original file name%.exe:1384 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\osYgoMws.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NMgcsUUM.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NMgcsUUM.bat (0 bytes)

The process %original file name%.exe:820 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OgkcUgUQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yOwcAsUg.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OgkcUgUQ.bat (0 bytes)

The process %original file name%.exe:1368 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XQkogQgM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\owgEMgcM.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XQkogQgM.bat (0 bytes)

Registry activity

The process fGAwoYMM.exe:1832 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 97 21 F0 74 E3 43 CA 6B 06 1F 05 D0 93 B8 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The process reIEcoQI.exe:320 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 0C 27 24 62 1B 33 B0 E7 B0 38 33 0B 6D 30 F9"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process cscript.exe:1164 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 04 0F 95 0D 6A 8B 0E A0 98 FE F9 EE 1E F9 3F"

The process cscript.exe:1160 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 79 AF 47 6D 85 9C C7 3B A5 C7 71 91 8E 03 2C"

The process cscript.exe:1952 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 10 D6 99 1D 9F 2D 23 3D F0 49 00 9D 89 22 88"

The process cscript.exe:576 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB F8 3A A6 9F B9 1B EC 6B D9 A9 B2 A3 C6 EE 50"

The process cscript.exe:1088 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 34 F0 66 25 F7 15 E3 25 49 ED 74 9C D6 BE 22"

The process cscript.exe:1944 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 1D 58 E7 37 0B C6 B6 46 32 AA 76 92 D3 99 AA"

The process cscript.exe:1928 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 70 FA C4 45 48 65 3A 55 81 A1 21 02 55 88 2F"

The process cscript.exe:1948 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 5F 9B DB 75 1D 07 10 62 D1 96 70 CA D7 A9 8D"

The process cscript.exe:1836 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 F8 DE BE 39 D4 DA E2 E2 49 71 22 90 8C 2F 67"

The process cscript.exe:1424 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 68 FE 70 2F E1 BF 60 C0 53 E1 CC 1B C6 83 29"

The process cscript.exe:1584 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF BA 49 D1 B6 58 9C 50 D9 94 B0 F0 27 BB D7 44"

The process cscript.exe:656 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 05 90 84 59 EB 91 A6 C7 69 F9 6C 3F 1D FF 3B"

The process cscript.exe:1252 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 2A 96 65 F1 D0 3F 1C 8A E8 51 E2 D0 3F 2F DC"

The process cscript.exe:324 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 33 01 EF D8 DE 9D C5 C2 0B B6 01 FD 6C 05 DC"

The process cscript.exe:1016 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 A6 83 24 20 33 D6 E2 EE E0 8E 6A 15 DF 4E 14"

The process cscript.exe:360 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 19 4A A9 2C 7F B8 B6 7A C6 85 84 EA 11 A5 78"

The process cscript.exe:2012 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 CF B3 5F 8C 88 25 26 7C 7B 60 8E B2 63 6F B7"

The process cscript.exe:308 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C B8 B1 E9 3F DE 13 1E 8A A2 58 A6 3B F6 61 2A"

The process cscript.exe:1092 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 13 9C E5 C8 64 A4 CA 4E C0 4D 3A E7 08 E0 A3"

The process cscript.exe:772 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 E9 B7 15 D0 DA 25 23 95 15 45 FF BD EC 2C 8A"

The process cscript.exe:564 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 D6 FC CB CE 5D 37 E3 7A 64 08 AC DE 58 32 7D"

The process cscript.exe:588 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 BA 14 28 A4 77 85 6D 11 4D 2E 87 5E 15 8B 68"

The process cscript.exe:608 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 A5 54 15 35 65 FC B3 70 36 2D 89 FE 36 85 6F"

The process cscript.exe:244 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 EC 37 0A B0 63 C7 D6 70 CA 5B 24 84 E6 74 1A"

The process cscript.exe:260 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 64 EB 87 5A A1 04 58 EE FB 1D 84 F9 79 AA 59"

The process cscript.exe:240 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 46 E6 4C 68 10 90 78 CF CE 3C CE 4B 64 DC 35"

The process cscript.exe:1888 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 34 D0 19 17 DF DA 13 CE 04 7E 06 F5 6F CC 73"

The process cscript.exe:1880 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 41 0F 2E DB D0 C0 22 85 B6 BC 02 19 18 00 82"

The process cscript.exe:1932 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 70 F3 64 8E 68 8B 90 E5 DB 99 06 90 A8 FE 22"

The process cscript.exe:968 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA A6 77 79 1B D2 D8 BF 52 94 99 64 92 DD 0E DF"

The process cscript.exe:1820 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 24 F7 DC 80 DC C1 AF 3D A1 CA 73 0F 71 D0 2E"

The process cscript.exe:1472 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 72 11 FB 16 58 FF EC FB 31 F4 4D 3F 48 5C 8E"

The process cscript.exe:2000 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 49 53 BC D1 53 6D F7 58 74 0E E3 4D A3 65 14"

The process cscript.exe:1388 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 52 5F 1A 19 42 ED 75 B1 A3 43 B7 F6 E5 71 54"

The process cscript.exe:1012 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 1A 4B BA 72 87 81 3C C9 6C 0C 8F 98 0C 61 70"

The process cscript.exe:1100 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 D3 8E AC 98 E9 CE F7 01 6C 99 93 72 3B CA 4A"

The process cscript.exe:512 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 44 8A 4C 4D D6 2B 34 2D A8 3B AC 08 5E 6C 02"

The process cscript.exe:516 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 5D 19 26 48 66 9A 98 C1 ED 5A C2 7D 47 42 7F"

The process %original file name%.exe:1164 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 36 C5 21 AB 50 AF 00 1C 28 BD 93 F9 EB 27 77"

The process %original file name%.exe:620 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 0A 4B 17 09 B4 F3 CA 6D 3E 5C 73 9F 5E 08 17"

The process %original file name%.exe:1300 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 BC 6A 20 6B 90 73 77 78 DA 5B EA AD 11 FF 42"

The process %original file name%.exe:1908 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C F9 FB 90 1F 59 E5 E6 21 28 10 56 38 2C EF 2F"

The process %original file name%.exe:1144 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 5D FB FF 3F F2 37 51 D8 66 4C 1C 29 7A B8 9F"

The process %original file name%.exe:624 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 55 15 82 0D 45 71 C2 5B 14 C0 35 7F F2 38 C1"

The process %original file name%.exe:572 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 AA CE AB 00 4D 33 13 B8 CF C3 B4 76 9D 26 DA"

The process %original file name%.exe:316 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 02 73 BB 05 6E DE A4 57 A4 BF 58 32 50 2C B5"

The process %original file name%.exe:552 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E CF 7B 1A BE EF B3 80 2A 77 C5 28 EB 37 CE 13"

The process %original file name%.exe:1920 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C E3 6D 79 A1 5F 28 2B BD 87 BE FE A1 98 32 28"

The process %original file name%.exe:404 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 13 33 65 8F 54 EE 0E C8 FB 8D 0D 92 FF 37 89"

The process %original file name%.exe:448 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 36 1C 3C 74 97 68 39 65 72 D3 95 C0 79 42 5A"

The process %original file name%.exe:1924 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 34 47 03 7F F4 30 C9 21 A5 72 4F 15 45 16 EB"

The process %original file name%.exe:276 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D D0 59 2B 9D B9 27 C4 48 7C C8 B8 F4 F3 89 B1"

The process %original file name%.exe:856 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 28 F8 D3 8C 87 BD 5F 04 0C FF 7B 76 60 57 0A"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process %original file name%.exe:1980 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A D6 24 F9 F9 84 4B A8 6A 62 7B EF C0 84 FB 32"

The process %original file name%.exe:1852 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 96 2E A3 89 51 B2 32 74 69 AA 32 00 10 1C 3C"

The process %original file name%.exe:884 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 E9 8A 68 7C 3A 62 C7 BB 88 4E 66 C3 22 41 0E"

The process %original file name%.exe:1960 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 00 10 61 02 2D 2C E0 E3 07 F6 85 1C A7 F3 EF"

The process %original file name%.exe:1856 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 D3 A6 C3 71 B2 6D 00 ED 39 2B 2B 0D 64 F5 F4"

The process %original file name%.exe:956 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D B3 06 FD 01 67 F8 D0 A9 7E 76 B1 46 83 83 1B"

The process %original file name%.exe:1408 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 E8 96 34 2F 25 98 92 94 AB 92 D3 0B 26 2C C0"

The process %original file name%.exe:1252 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 B6 0B 0D E4 69 DE D0 4C 85 99 7F 51 17 94 8A"

The process %original file name%.exe:368 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 6A 1C 36 26 25 F0 44 8A 84 4E DB D8 D4 B9 C0"

The process %original file name%.exe:652 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB F3 C1 A7 09 58 FC A2 C8 66 E9 2E 46 77 FD F5"

The process %original file name%.exe:1880 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 51 E1 9B 7D 0F 1D 31 5C 24 CC BB 3A D7 3F 84"

The process %original file name%.exe:1012 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B E9 6A 51 EA 8A 3D 95 9F 5A B9 5C 8B 00 C9 C6"

The process %original file name%.exe:308 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD D0 30 FB F0 D0 DF A8 85 75 F6 E6 9F FF D6 03"

The process %original file name%.exe:1948 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 50 68 85 DA 47 10 B4 B2 D5 81 45 59 71 50 39"

The process %original file name%.exe:1092 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 A8 79 30 86 E4 38 82 01 51 27 3C 5B 1D CC AE"

The process %original file name%.exe:616 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 52 F5 47 D4 8B 3B 96 19 99 10 21 E8 6B F1 12"

The process %original file name%.exe:460 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 18 F9 33 10 93 77 60 41 5C AF 90 CF BA 0F 40"

The process %original file name%.exe:1796 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF E9 77 20 3B 56 F8 2A 86 7A 38 46 97 64 2E 40"

The process %original file name%.exe:168 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 8E 37 EB F8 8A F7 DF 35 FB 91 59 9D 41 37 61"

The process %original file name%.exe:480 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 D1 36 36 1E A4 70 2F AD 48 9A 4D 33 C5 74 0E"

The process %original file name%.exe:1284 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 94 5A CA 5A 16 D8 A2 B3 47 05 77 0B 44 5E F6"

The process %original file name%.exe:1804 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 35 13 C7 B0 05 77 B5 D4 CE 13 D3 38 9C 4A 64"

The process %original file name%.exe:1640 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF AC A6 1A CB 8F F4 6F 89 6C FC 11 C2 18 EA 7A"

The process %original file name%.exe:1724 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 56 36 7F 51 36 87 EA A1 CD 97 C8 F1 2D 6B FC"

The process %original file name%.exe:1768 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 87 7E A1 9D 62 55 72 BE 5B 29 C4 36 3E C3 DB"

The process %original file name%.exe:1388 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 1F 7C 54 1B DC CF 1E E1 01 77 29 FA F6 48 2E"

The process %original file name%.exe:412 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 01 C7 D2 DB 97 4E 22 72 4D 5B AC 1B C0 02 0F"

The process %original file name%.exe:1668 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 5A EB B3 7F 29 A5 12 66 B7 35 FC 18 BC 16 17"

The process %original file name%.exe:1384 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 9F 15 28 33 31 63 F7 7B 1A 04 EB 2C 55 0F FC"

The process %original file name%.exe:1740 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 78 00 7C FC 75 D1 4F E3 D8 59 7A 6A A5 AE 78"

The process %original file name%.exe:820 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 42 AD F1 5B 8A AE 33 F9 A7 15 8C 55 6D 3F A9"

The process %original file name%.exe:1368 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 14 E6 70 50 36 86 42 50 7F 5F 60 D7 15 48 90"

The process NesIMIQs.exe:1756 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F A8 44 38 AA A3 01 41 C3 6C A5 BE C3 0C 24 26"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

Dropped PE files

MD5 File path
ba547b62ae53274012328144caaf620ac:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
dfd97da2b7781bfb1b633662c5f1f406c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
e9161a32b21810f26d24a45ad186e4c5c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
010f05a1a01dbf3cd9f1eaab11bb8923c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
40379127482098ec937644e0aa4210f8c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
3a8edb5452193ea9908aca964a09f0e3c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
382f5fb75cdfc04eb388bf0b2f22fbbcc:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
7abd9161695e2e3df4121ffe5a485dfbc:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
494d678df3796728d64b2815ef3d2b28c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
b39a18868c2d436501fb3f03fd4f4450c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
913d90a9002febf7b93bf48c844c58d6c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
db58c54a381442c4e983c44f41897a7ec:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
4afd11db3bced5e64c37c759378cd14ec:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
fd4e1bfdb070774aa526e7b7c9414e86c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
4940191dc5a8be123407af14a6a91214c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
d33e32056bb9d384042215534af35a90c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
c9809f162104735e98e2acdcef0a0c13c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
78a1d3d2617b4397800a183853ddd5a4c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
11caf0e3160186f10e0f4a671c6b6361c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
ec969a8e14a0938176ace1df1921c447c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
4ea3b24dcccd7b9748537203b1bf5e65c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
f241f1203b115d762ea15703dd8c3aa7c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
1f22ac3a0a4d4cc11bf190e7a5c4f86ac:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
b575417209f9341b5accd885646379fac:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe
7431e4627563f8dff41a78524c22df43c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
ee7af5045db58c15b78b866a7aaf6797c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
10a7654747787419e4aa4bbb36370862c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
22dd363e52880c798a559bafeab925a4c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
e126800c48337ead9dfde60bfccb9d75c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
317fefc8e649af03143461024f3d6873c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
d0a207094a7d287c57332ab47610c4fcc:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
58334c92c725ed93a1d27a3f3920858dc:\Documents and Settings\All Users\JuwEIgUE\reIEcoQI.exe
d4f43e40e31f28e7533ed4b7a3d8c7c3c:\Documents and Settings\All Users\hcYYccwo\NesIMIQs.exe
272b0325c67d25bff94a3171ea99656ec:\Documents and Settings\"%CurrentUserName%"\dUskcAww\fGAwoYMM.exe
ba37c0725b141bbdb751d4716597f0e7c:\Perl\eg\IEExamples\ie_animated.gif.exe
48022d7f3a4ce439b3b9f347ab68b32ec:\Perl\eg\IEExamples\psbwlogo.gif.exe
97638b05291c6e1af5d70fc665b6d66bc:\Perl\eg\aspSamples\ASbanner.gif.exe
814f2c3afa6e70e9be7d03863c5c8bf0c:\Perl\eg\aspSamples\Main_Banner.gif.exe
c61dd1bd0e3cb2e198900f18d33aa13fc:\Perl\eg\aspSamples\psbwlogo.gif.exe
bf3f0f628fc1958c0bba754abcd7ee8bc:\Perl\html\images\AS_logo.gif.exe
a8f795bf55248d2d2ee052e50626af6cc:\Perl\html\images\PerlCritic_run.png.exe
246b561a187c97db5f4c53d3b9bd27d2c:\Perl\html\images\aslogo.gif.exe
1f5a85ff7b86cef198cb9f3f55a4f560c:\Perl\html\images\ppm_gui.png.exe
e4e6dad196539db4d78f64b088a3ffe4c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe
6deaea0ba38f22e996bb3f344e20581ac:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe
144c739df905f6cef8fd9675b60ed4e9c:\Perl\lib\Devel\NYTProf\js\asc.png.exe
e46bfaf25e689e1bf1552b62a2fbfc2fc:\Perl\lib\Devel\NYTProf\js\bg.png.exe
38d70155b4f35f705a4f8597da7d71bdc:\Perl\lib\Devel\NYTProf\js\desc.png.exe
06fa78fe5307bc0da505edb4913ec90bc:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe
65d9c896e56fe8ce8da207e57751aa0dc:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe
69b98d275170583cff12158d1ae3e8cdc:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe
01eeedcb4c0289a3f6ac49fdcc0afd8bc:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe
ca30d665e90727fac5a9ff1eee4a5b4dc:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe
7f5d3da37b5f8ba7d14f2de36f0d255ec:\Perl\lib\Mozilla\CA\cacert.pem.exe
b4a7ad1aec1da77dbb67be016f3bf018c:\totalcmd\TCMADMIN.EXE.exe
a59ac5a84d6c15877d5ddc9e2edb069ac:\totalcmd\TCMDX32.EXE.exe
31069a1843babd46c6e514db08b8406cc:\totalcmd\TCUNINST.EXE.exe
c10e4220bd0b16e5cfd2c9c0796bcf32c:\totalcmd\TOTALCMD.EXE.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    cscript.exe:1164
    cscript.exe:1160
    cscript.exe:1952
    cscript.exe:576
    cscript.exe:1088
    cscript.exe:1944
    cscript.exe:1928
    cscript.exe:1948
    cscript.exe:1836
    cscript.exe:1424
    cscript.exe:1584
    cscript.exe:656
    cscript.exe:1252
    cscript.exe:324
    cscript.exe:1016
    cscript.exe:360
    cscript.exe:2012
    cscript.exe:308
    cscript.exe:1092
    cscript.exe:772
    cscript.exe:564
    cscript.exe:588
    cscript.exe:608
    cscript.exe:244
    cscript.exe:260
    cscript.exe:240
    cscript.exe:1888
    cscript.exe:1880
    cscript.exe:1932
    cscript.exe:968
    cscript.exe:1820
    cscript.exe:1472
    cscript.exe:2000
    cscript.exe:1388
    cscript.exe:1012
    cscript.exe:1100
    cscript.exe:512
    cscript.exe:516
    %original file name%.exe:1164
    %original file name%.exe:620
    %original file name%.exe:1300
    %original file name%.exe:1908
    %original file name%.exe:1144
    %original file name%.exe:624
    %original file name%.exe:572
    %original file name%.exe:316
    %original file name%.exe:552
    %original file name%.exe:1920
    %original file name%.exe:404
    %original file name%.exe:448
    %original file name%.exe:1924
    %original file name%.exe:276
    %original file name%.exe:856
    %original file name%.exe:1980
    %original file name%.exe:1852
    %original file name%.exe:884
    %original file name%.exe:1960
    %original file name%.exe:1856
    %original file name%.exe:956
    %original file name%.exe:1408
    %original file name%.exe:1252
    %original file name%.exe:368
    %original file name%.exe:652
    %original file name%.exe:1880
    %original file name%.exe:1012
    %original file name%.exe:308
    %original file name%.exe:1948
    %original file name%.exe:1092
    %original file name%.exe:616
    %original file name%.exe:460
    %original file name%.exe:1796
    %original file name%.exe:168
    %original file name%.exe:480
    %original file name%.exe:1284
    %original file name%.exe:1804
    %original file name%.exe:1640
    %original file name%.exe:1724
    %original file name%.exe:1768
    %original file name%.exe:1388
    %original file name%.exe:412
    %original file name%.exe:1668
    %original file name%.exe:1384
    %original file name%.exe:1740
    %original file name%.exe:820
    %original file name%.exe:1368

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7726 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (2321 bytes)
    C:\totalcmd\TCMADMIN.EXE.exe (3073 bytes)
    C:\totalcmd\TCUNINST.EXE.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (2321 bytes)
    C:\totalcmd\TOTALCMD.EXE.exe (30812 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (2321 bytes)
    C:\totalcmd\TcUsbRun.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\KAAo.txt (59668 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3073 bytes)
    C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5441 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zeMYwsYI.bat (112 bytes)
    C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hOokEIwE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mosYYQQQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vuAQQIEU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ekoUIEwg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kUcIMsAM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GSoUossM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FQgsccwM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SOoAQkcI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UwooUokY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DsIIIIEc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SWAwkkUQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SwMcMIkg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wscgEEEk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dsYoMMsM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OqsgQEkU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\haIkQEUI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nCQgcsAE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iQwEIwEc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qgAAoMsM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kakocwYI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\caocwsQk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GmMgggko.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WckcooIQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sUocIUEw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jasYQokc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yusAkMok.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FuwEIoIM.bat (112 bytes)
    %Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3825 bytes)
    %Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (3921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UUoYggMk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yaYMoMQY.bat (112 bytes)
    %Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (3849 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pCoQkgQU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rykgwcIs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jWMIMcEM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sMoMEsME.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KcUEAIEQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WwsMMMos.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HYYcwwME.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sWMYEcwM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CYgYUYMc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XiosYowU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BuYIMIko.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kYkMkkwM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JmIUkQwk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uKAMwUss.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KOgsoMoI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XUswkAow.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KOcMYYoM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dwAQkoMI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SsIIIEYM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LQoIMMYg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NWwwIYUc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CmEcsIww.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IowEgUsc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xCEsoIUw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uWQIAUgg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qYMQkEck.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qIQYEscE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UKgoAcEc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gkckQYQo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xgskkMUM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fGkMMwoY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AiccQkgg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lgEkgAww.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rsMsYogA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cMEMwEAM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eegIUkAI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tGcQEUoY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GSocIsYI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JuIkcYMU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsUowAwI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EgIUIsMQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fYYcQIYQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ccUwgwoQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UoYMkwsk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dQoQIMAM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zEAAsYQU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YkowIEkw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OCgEoIIg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YQEIgcgk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NMYEcgAs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\emMMMAkk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RYocEYkk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yCAIocMI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tyoIUcYM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GOoQEEkY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GQgIEYEs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ewwwssgY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mKsYcwAU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fEYoAQso.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lCsYgcsg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QUUkgAII.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TyYEUwEw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\owcUUgck.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KWQAQYkE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LyQoAkwk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qwwUYYEY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\osYgoMws.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NMgcsUUM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OgkcUgUQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yOwcAsUg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XQkogQgM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\owgEMgcM.bat (112 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40964669444664325.508773b058105660d604a8c0f1b0de354e9f6
.rdata47104040965121.323316654d0c9bc875707d345c9bd9dca1fb8
.data4751363515123.1558accb4838cf51ac5f04fe7eaf6ce2276b
.rsrc479232444446084.00952c2699f8c0295232ea81c37564325bc7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps