Gen.Trojan.Heur.CqWrbkUYdi_ccf5b7f833
HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Trojan.Heur.CqW@rb!kUYdi (B) (Emsisoft), Gen:Trojan.Heur.CqW@rb!kUYdi (AdAware), ZeroAccess.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: ccf5b7f833da259f527f88aeb3fc4819
SHA1: cb3456f35e6fef02ca0db55e3c8e102f712e6603
SHA256: 414a1dac5068c4836a7fa0c7c757d2704fdcf6eaa49829757c1bcf56c99acbde
SSDeep: 12288:HyyaMF222r8TUw7ZUjmYS8VyvH/w1LUv/LZu:HyyaMF222/nBVy3kK/Ls
Size: 473600 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-06 02:36:08
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
cscript.exe:1164
cscript.exe:1160
cscript.exe:1952
cscript.exe:576
cscript.exe:1088
cscript.exe:1944
cscript.exe:1928
cscript.exe:1948
cscript.exe:1836
cscript.exe:1424
cscript.exe:1584
cscript.exe:656
cscript.exe:1252
cscript.exe:324
cscript.exe:1016
cscript.exe:360
cscript.exe:2012
cscript.exe:308
cscript.exe:1092
cscript.exe:772
cscript.exe:564
cscript.exe:588
cscript.exe:608
cscript.exe:244
cscript.exe:260
cscript.exe:240
cscript.exe:1888
cscript.exe:1880
cscript.exe:1932
cscript.exe:968
cscript.exe:1820
cscript.exe:1472
cscript.exe:2000
cscript.exe:1388
cscript.exe:1012
cscript.exe:1100
cscript.exe:512
cscript.exe:516
%original file name%.exe:1164
%original file name%.exe:620
%original file name%.exe:1300
%original file name%.exe:1908
%original file name%.exe:1144
%original file name%.exe:624
%original file name%.exe:572
%original file name%.exe:316
%original file name%.exe:552
%original file name%.exe:1920
%original file name%.exe:404
%original file name%.exe:448
%original file name%.exe:1924
%original file name%.exe:276
%original file name%.exe:856
%original file name%.exe:1980
%original file name%.exe:1852
%original file name%.exe:884
%original file name%.exe:1960
%original file name%.exe:1856
%original file name%.exe:956
%original file name%.exe:1408
%original file name%.exe:1252
%original file name%.exe:368
%original file name%.exe:652
%original file name%.exe:1880
%original file name%.exe:1012
%original file name%.exe:308
%original file name%.exe:1948
%original file name%.exe:1092
%original file name%.exe:616
%original file name%.exe:460
%original file name%.exe:1796
%original file name%.exe:168
%original file name%.exe:480
%original file name%.exe:1284
%original file name%.exe:1804
%original file name%.exe:1640
%original file name%.exe:1724
%original file name%.exe:1768
%original file name%.exe:1388
%original file name%.exe:412
%original file name%.exe:1668
%original file name%.exe:1384
%original file name%.exe:1740
%original file name%.exe:820
%original file name%.exe:1368
The Trojan injects its code into the following process(es):
fGAwoYMM.exe:1832
reIEcoQI.exe:320
NesIMIQs.exe:1756
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process fGAwoYMM.exe:1832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7726 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (2321 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (3073 bytes)
C:\totalcmd\TCUNINST.EXE.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (2321 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (30812 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (2321 bytes)
C:\totalcmd\TcUsbRun.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\KAAo.txt (59668 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3073 bytes)
C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5441 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (2321 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
The process %original file name%.exe:1164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\zeMYwsYI.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hOokEIwE.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hOokEIwE.bat (0 bytes)
The process %original file name%.exe:620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mosYYQQQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vuAQQIEU.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mosYYQQQ.bat (0 bytes)
The process %original file name%.exe:1300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ekoUIEwg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kUcIMsAM.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kUcIMsAM.bat (0 bytes)
The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GSoUossM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FQgsccwM.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GSoUossM.bat (0 bytes)
The process %original file name%.exe:1144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SOoAQkcI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UwooUokY.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SOoAQkcI.bat (0 bytes)
The process %original file name%.exe:624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DsIIIIEc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SWAwkkUQ.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DsIIIIEc.bat (0 bytes)
The process %original file name%.exe:572 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SwMcMIkg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wscgEEEk.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SwMcMIkg.bat (0 bytes)
The process %original file name%.exe:316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dsYoMMsM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OqsgQEkU.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dsYoMMsM.bat (0 bytes)
The process %original file name%.exe:552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\haIkQEUI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nCQgcsAE.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nCQgcsAE.bat (0 bytes)
The process %original file name%.exe:1920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\iQwEIwEc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qgAAoMsM.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\iQwEIwEc.bat (0 bytes)
The process %original file name%.exe:404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kakocwYI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\caocwsQk.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kakocwYI.bat (0 bytes)
The process %original file name%.exe:448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GmMgggko.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WckcooIQ.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GmMgggko.bat (0 bytes)
The process %original file name%.exe:1924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sUocIUEw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jasYQokc.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jasYQokc.bat (0 bytes)
The process %original file name%.exe:276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\yusAkMok.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FuwEIoIM.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\yusAkMok.bat (0 bytes)
The process %original file name%.exe:856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3825 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (3921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUoYggMk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yaYMoMQY.bat (112 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (3849 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UUoYggMk.bat (0 bytes)
The process %original file name%.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pCoQkgQU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rykgwcIs.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\rykgwcIs.bat (0 bytes)
The process %original file name%.exe:1852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jWMIMcEM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sMoMEsME.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sMoMEsME.bat (0 bytes)
The process %original file name%.exe:884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KcUEAIEQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WwsMMMos.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KcUEAIEQ.bat (0 bytes)
The process %original file name%.exe:1960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\HYYcwwME.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sWMYEcwM.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\HYYcwwME.bat (0 bytes)
The process %original file name%.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CYgYUYMc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XiosYowU.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CYgYUYMc.bat (0 bytes)
The process %original file name%.exe:956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\BuYIMIko.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kYkMkkwM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JmIUkQwk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uKAMwUss.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (56 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kYkMkkwM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JmIUkQwk.bat (0 bytes)
The process %original file name%.exe:1408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KOgsoMoI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XUswkAow.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\XUswkAow.bat (0 bytes)
The process %original file name%.exe:1252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KOcMYYoM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dwAQkoMI.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KOcMYYoM.bat (0 bytes)
The process %original file name%.exe:368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SsIIIEYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LQoIMMYg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NWwwIYUc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CmEcsIww.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (56 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SsIIIEYM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LQoIMMYg.bat (0 bytes)
The process %original file name%.exe:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IowEgUsc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xCEsoIUw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uWQIAUgg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qYMQkEck.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (56 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IowEgUsc.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xCEsoIUw.bat (0 bytes)
The process %original file name%.exe:1880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qIQYEscE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UKgoAcEc.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qIQYEscE.bat (0 bytes)
The process %original file name%.exe:1012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\gkckQYQo.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xgskkMUM.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xgskkMUM.bat (0 bytes)
The process %original file name%.exe:308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fGkMMwoY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AiccQkgg.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fGkMMwoY.bat (0 bytes)
The process %original file name%.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\lgEkgAww.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rsMsYogA.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\lgEkgAww.bat (0 bytes)
The process %original file name%.exe:1092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cMEMwEAM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eegIUkAI.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\eegIUkAI.bat (0 bytes)
The process %original file name%.exe:616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tGcQEUoY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSocIsYI.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GSocIsYI.bat (0 bytes)
The process %original file name%.exe:460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\JuIkcYMU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsUowAwI.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RsUowAwI.bat (0 bytes)
The process %original file name%.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EgIUIsMQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fYYcQIYQ.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fYYcQIYQ.bat (0 bytes)
The process %original file name%.exe:168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ccUwgwoQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UoYMkwsk.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UoYMkwsk.bat (0 bytes)
The process %original file name%.exe:480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dQoQIMAM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zEAAsYQU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YkowIEkw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OCgEoIIg.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (56 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dQoQIMAM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OCgEoIIg.bat (0 bytes)
The process %original file name%.exe:1284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YQEIgcgk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NMYEcgAs.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NMYEcgAs.bat (0 bytes)
The process %original file name%.exe:1804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\emMMMAkk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RYocEYkk.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\emMMMAkk.bat (0 bytes)
The process %original file name%.exe:1640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\yCAIocMI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tyoIUcYM.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tyoIUcYM.bat (0 bytes)
The process %original file name%.exe:1724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GOoQEEkY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GQgIEYEs.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GQgIEYEs.bat (0 bytes)
The process %original file name%.exe:1768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ewwwssgY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mKsYcwAU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fEYoAQso.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lCsYgcsg.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (56 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fEYoAQso.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mKsYcwAU.bat (0 bytes)
The process %original file name%.exe:1388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QUUkgAII.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TyYEUwEw.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QUUkgAII.bat (0 bytes)
The process %original file name%.exe:412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\owcUUgck.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KWQAQYkE.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\owcUUgck.bat (0 bytes)
The process %original file name%.exe:1668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LyQoAkwk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qwwUYYEY.bat (4 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qwwUYYEY.bat (0 bytes)
The process %original file name%.exe:1384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\osYgoMws.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NMgcsUUM.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NMgcsUUM.bat (0 bytes)
The process %original file name%.exe:820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OgkcUgUQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yOwcAsUg.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OgkcUgUQ.bat (0 bytes)
The process %original file name%.exe:1368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\XQkogQgM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\owgEMgcM.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\XQkogQgM.bat (0 bytes)
Registry activity
The process fGAwoYMM.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 97 21 F0 74 E3 43 CA 6B 06 1F 05 D0 93 B8 65"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
The process reIEcoQI.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 0C 27 24 62 1B 33 B0 E7 B0 38 33 0B 6D 30 F9"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process cscript.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 04 0F 95 0D 6A 8B 0E A0 98 FE F9 EE 1E F9 3F"
The process cscript.exe:1160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 79 AF 47 6D 85 9C C7 3B A5 C7 71 91 8E 03 2C"
The process cscript.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 10 D6 99 1D 9F 2D 23 3D F0 49 00 9D 89 22 88"
The process cscript.exe:576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB F8 3A A6 9F B9 1B EC 6B D9 A9 B2 A3 C6 EE 50"
The process cscript.exe:1088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 34 F0 66 25 F7 15 E3 25 49 ED 74 9C D6 BE 22"
The process cscript.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 1D 58 E7 37 0B C6 B6 46 32 AA 76 92 D3 99 AA"
The process cscript.exe:1928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 70 FA C4 45 48 65 3A 55 81 A1 21 02 55 88 2F"
The process cscript.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 5F 9B DB 75 1D 07 10 62 D1 96 70 CA D7 A9 8D"
The process cscript.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 F8 DE BE 39 D4 DA E2 E2 49 71 22 90 8C 2F 67"
The process cscript.exe:1424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 68 FE 70 2F E1 BF 60 C0 53 E1 CC 1B C6 83 29"
The process cscript.exe:1584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF BA 49 D1 B6 58 9C 50 D9 94 B0 F0 27 BB D7 44"
The process cscript.exe:656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 05 90 84 59 EB 91 A6 C7 69 F9 6C 3F 1D FF 3B"
The process cscript.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 2A 96 65 F1 D0 3F 1C 8A E8 51 E2 D0 3F 2F DC"
The process cscript.exe:324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 33 01 EF D8 DE 9D C5 C2 0B B6 01 FD 6C 05 DC"
The process cscript.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 A6 83 24 20 33 D6 E2 EE E0 8E 6A 15 DF 4E 14"
The process cscript.exe:360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 19 4A A9 2C 7F B8 B6 7A C6 85 84 EA 11 A5 78"
The process cscript.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 CF B3 5F 8C 88 25 26 7C 7B 60 8E B2 63 6F B7"
The process cscript.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C B8 B1 E9 3F DE 13 1E 8A A2 58 A6 3B F6 61 2A"
The process cscript.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 13 9C E5 C8 64 A4 CA 4E C0 4D 3A E7 08 E0 A3"
The process cscript.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 E9 B7 15 D0 DA 25 23 95 15 45 FF BD EC 2C 8A"
The process cscript.exe:564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 D6 FC CB CE 5D 37 E3 7A 64 08 AC DE 58 32 7D"
The process cscript.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 BA 14 28 A4 77 85 6D 11 4D 2E 87 5E 15 8B 68"
The process cscript.exe:608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 A5 54 15 35 65 FC B3 70 36 2D 89 FE 36 85 6F"
The process cscript.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 EC 37 0A B0 63 C7 D6 70 CA 5B 24 84 E6 74 1A"
The process cscript.exe:260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 64 EB 87 5A A1 04 58 EE FB 1D 84 F9 79 AA 59"
The process cscript.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 46 E6 4C 68 10 90 78 CF CE 3C CE 4B 64 DC 35"
The process cscript.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 34 D0 19 17 DF DA 13 CE 04 7E 06 F5 6F CC 73"
The process cscript.exe:1880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 41 0F 2E DB D0 C0 22 85 B6 BC 02 19 18 00 82"
The process cscript.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 70 F3 64 8E 68 8B 90 E5 DB 99 06 90 A8 FE 22"
The process cscript.exe:968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA A6 77 79 1B D2 D8 BF 52 94 99 64 92 DD 0E DF"
The process cscript.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 24 F7 DC 80 DC C1 AF 3D A1 CA 73 0F 71 D0 2E"
The process cscript.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 72 11 FB 16 58 FF EC FB 31 F4 4D 3F 48 5C 8E"
The process cscript.exe:2000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 49 53 BC D1 53 6D F7 58 74 0E E3 4D A3 65 14"
The process cscript.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 52 5F 1A 19 42 ED 75 B1 A3 43 B7 F6 E5 71 54"
The process cscript.exe:1012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 1A 4B BA 72 87 81 3C C9 6C 0C 8F 98 0C 61 70"
The process cscript.exe:1100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 D3 8E AC 98 E9 CE F7 01 6C 99 93 72 3B CA 4A"
The process cscript.exe:512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 44 8A 4C 4D D6 2B 34 2D A8 3B AC 08 5E 6C 02"
The process cscript.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 5D 19 26 48 66 9A 98 C1 ED 5A C2 7D 47 42 7F"
The process %original file name%.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 36 C5 21 AB 50 AF 00 1C 28 BD 93 F9 EB 27 77"
The process %original file name%.exe:620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 0A 4B 17 09 B4 F3 CA 6D 3E 5C 73 9F 5E 08 17"
The process %original file name%.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 BC 6A 20 6B 90 73 77 78 DA 5B EA AD 11 FF 42"
The process %original file name%.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C F9 FB 90 1F 59 E5 E6 21 28 10 56 38 2C EF 2F"
The process %original file name%.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 5D FB FF 3F F2 37 51 D8 66 4C 1C 29 7A B8 9F"
The process %original file name%.exe:624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 55 15 82 0D 45 71 C2 5B 14 C0 35 7F F2 38 C1"
The process %original file name%.exe:572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 AA CE AB 00 4D 33 13 B8 CF C3 B4 76 9D 26 DA"
The process %original file name%.exe:316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 02 73 BB 05 6E DE A4 57 A4 BF 58 32 50 2C B5"
The process %original file name%.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E CF 7B 1A BE EF B3 80 2A 77 C5 28 EB 37 CE 13"
The process %original file name%.exe:1920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C E3 6D 79 A1 5F 28 2B BD 87 BE FE A1 98 32 28"
The process %original file name%.exe:404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 13 33 65 8F 54 EE 0E C8 FB 8D 0D 92 FF 37 89"
The process %original file name%.exe:448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 36 1C 3C 74 97 68 39 65 72 D3 95 C0 79 42 5A"
The process %original file name%.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 34 47 03 7F F4 30 C9 21 A5 72 4F 15 45 16 EB"
The process %original file name%.exe:276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D D0 59 2B 9D B9 27 C4 48 7C C8 B8 F4 F3 89 B1"
The process %original file name%.exe:856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 28 F8 D3 8C 87 BD 5F 04 0C FF 7B 76 60 57 0A"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process %original file name%.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A D6 24 F9 F9 84 4B A8 6A 62 7B EF C0 84 FB 32"
The process %original file name%.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 96 2E A3 89 51 B2 32 74 69 AA 32 00 10 1C 3C"
The process %original file name%.exe:884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 E9 8A 68 7C 3A 62 C7 BB 88 4E 66 C3 22 41 0E"
The process %original file name%.exe:1960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 00 10 61 02 2D 2C E0 E3 07 F6 85 1C A7 F3 EF"
The process %original file name%.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 D3 A6 C3 71 B2 6D 00 ED 39 2B 2B 0D 64 F5 F4"
The process %original file name%.exe:956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D B3 06 FD 01 67 F8 D0 A9 7E 76 B1 46 83 83 1B"
The process %original file name%.exe:1408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 E8 96 34 2F 25 98 92 94 AB 92 D3 0B 26 2C C0"
The process %original file name%.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 B6 0B 0D E4 69 DE D0 4C 85 99 7F 51 17 94 8A"
The process %original file name%.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 6A 1C 36 26 25 F0 44 8A 84 4E DB D8 D4 B9 C0"
The process %original file name%.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB F3 C1 A7 09 58 FC A2 C8 66 E9 2E 46 77 FD F5"
The process %original file name%.exe:1880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 51 E1 9B 7D 0F 1D 31 5C 24 CC BB 3A D7 3F 84"
The process %original file name%.exe:1012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B E9 6A 51 EA 8A 3D 95 9F 5A B9 5C 8B 00 C9 C6"
The process %original file name%.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD D0 30 FB F0 D0 DF A8 85 75 F6 E6 9F FF D6 03"
The process %original file name%.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 50 68 85 DA 47 10 B4 B2 D5 81 45 59 71 50 39"
The process %original file name%.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 A8 79 30 86 E4 38 82 01 51 27 3C 5B 1D CC AE"
The process %original file name%.exe:616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 52 F5 47 D4 8B 3B 96 19 99 10 21 E8 6B F1 12"
The process %original file name%.exe:460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 18 F9 33 10 93 77 60 41 5C AF 90 CF BA 0F 40"
The process %original file name%.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF E9 77 20 3B 56 F8 2A 86 7A 38 46 97 64 2E 40"
The process %original file name%.exe:168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 8E 37 EB F8 8A F7 DF 35 FB 91 59 9D 41 37 61"
The process %original file name%.exe:480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 D1 36 36 1E A4 70 2F AD 48 9A 4D 33 C5 74 0E"
The process %original file name%.exe:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 94 5A CA 5A 16 D8 A2 B3 47 05 77 0B 44 5E F6"
The process %original file name%.exe:1804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 35 13 C7 B0 05 77 B5 D4 CE 13 D3 38 9C 4A 64"
The process %original file name%.exe:1640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF AC A6 1A CB 8F F4 6F 89 6C FC 11 C2 18 EA 7A"
The process %original file name%.exe:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 56 36 7F 51 36 87 EA A1 CD 97 C8 F1 2D 6B FC"
The process %original file name%.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 87 7E A1 9D 62 55 72 BE 5B 29 C4 36 3E C3 DB"
The process %original file name%.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 1F 7C 54 1B DC CF 1E E1 01 77 29 FA F6 48 2E"
The process %original file name%.exe:412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 01 C7 D2 DB 97 4E 22 72 4D 5B AC 1B C0 02 0F"
The process %original file name%.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 5A EB B3 7F 29 A5 12 66 B7 35 FC 18 BC 16 17"
The process %original file name%.exe:1384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 9F 15 28 33 31 63 F7 7B 1A 04 EB 2C 55 0F FC"
The process %original file name%.exe:1740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 78 00 7C FC 75 D1 4F E3 D8 59 7A 6A A5 AE 78"
The process %original file name%.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 42 AD F1 5B 8A AE 33 F9 A7 15 8C 55 6D 3F A9"
The process %original file name%.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 14 E6 70 50 36 86 42 50 7F 5F 60 D7 15 48 90"
The process NesIMIQs.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F A8 44 38 AA A3 01 41 C3 6C A5 BE C3 0C 24 26"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| ba547b62ae53274012328144caaf620a | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe |
| dfd97da2b7781bfb1b633662c5f1f406 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe |
| e9161a32b21810f26d24a45ad186e4c5 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe |
| 010f05a1a01dbf3cd9f1eaab11bb8923 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe |
| 40379127482098ec937644e0aa4210f8 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe |
| 3a8edb5452193ea9908aca964a09f0e3 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe |
| 382f5fb75cdfc04eb388bf0b2f22fbbc | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe |
| 7abd9161695e2e3df4121ffe5a485dfb | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe |
| 494d678df3796728d64b2815ef3d2b28 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe |
| b39a18868c2d436501fb3f03fd4f4450 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe |
| 913d90a9002febf7b93bf48c844c58d6 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe |
| db58c54a381442c4e983c44f41897a7e | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe |
| 4afd11db3bced5e64c37c759378cd14e | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe |
| fd4e1bfdb070774aa526e7b7c9414e86 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe |
| 4940191dc5a8be123407af14a6a91214 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe |
| d33e32056bb9d384042215534af35a90 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe |
| c9809f162104735e98e2acdcef0a0c13 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe |
| 78a1d3d2617b4397800a183853ddd5a4 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe |
| 11caf0e3160186f10e0f4a671c6b6361 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe |
| ec969a8e14a0938176ace1df1921c447 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe |
| 4ea3b24dcccd7b9748537203b1bf5e65 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe |
| f241f1203b115d762ea15703dd8c3aa7 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe |
| 1f22ac3a0a4d4cc11bf190e7a5c4f86a | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe |
| b575417209f9341b5accd885646379fa | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe |
| 7431e4627563f8dff41a78524c22df43 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe |
| ee7af5045db58c15b78b866a7aaf6797 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe |
| 10a7654747787419e4aa4bbb36370862 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe |
| 22dd363e52880c798a559bafeab925a4 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe |
| e126800c48337ead9dfde60bfccb9d75 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe |
| 317fefc8e649af03143461024f3d6873 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe |
| d0a207094a7d287c57332ab47610c4fc | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe |
| 58334c92c725ed93a1d27a3f3920858d | c:\Documents and Settings\All Users\JuwEIgUE\reIEcoQI.exe |
| d4f43e40e31f28e7533ed4b7a3d8c7c3 | c:\Documents and Settings\All Users\hcYYccwo\NesIMIQs.exe |
| 272b0325c67d25bff94a3171ea99656e | c:\Documents and Settings\"%CurrentUserName%"\dUskcAww\fGAwoYMM.exe |
| ba37c0725b141bbdb751d4716597f0e7 | c:\Perl\eg\IEExamples\ie_animated.gif.exe |
| 48022d7f3a4ce439b3b9f347ab68b32e | c:\Perl\eg\IEExamples\psbwlogo.gif.exe |
| 97638b05291c6e1af5d70fc665b6d66b | c:\Perl\eg\aspSamples\ASbanner.gif.exe |
| 814f2c3afa6e70e9be7d03863c5c8bf0 | c:\Perl\eg\aspSamples\Main_Banner.gif.exe |
| c61dd1bd0e3cb2e198900f18d33aa13f | c:\Perl\eg\aspSamples\psbwlogo.gif.exe |
| bf3f0f628fc1958c0bba754abcd7ee8b | c:\Perl\html\images\AS_logo.gif.exe |
| a8f795bf55248d2d2ee052e50626af6c | c:\Perl\html\images\PerlCritic_run.png.exe |
| 246b561a187c97db5f4c53d3b9bd27d2 | c:\Perl\html\images\aslogo.gif.exe |
| 1f5a85ff7b86cef198cb9f3f55a4f560 | c:\Perl\html\images\ppm_gui.png.exe |
| e4e6dad196539db4d78f64b088a3ffe4 | c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe |
| 6deaea0ba38f22e996bb3f344e20581a | c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe |
| 144c739df905f6cef8fd9675b60ed4e9 | c:\Perl\lib\Devel\NYTProf\js\asc.png.exe |
| e46bfaf25e689e1bf1552b62a2fbfc2f | c:\Perl\lib\Devel\NYTProf\js\bg.png.exe |
| 38d70155b4f35f705a4f8597da7d71bd | c:\Perl\lib\Devel\NYTProf\js\desc.png.exe |
| 06fa78fe5307bc0da505edb4913ec90b | c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe |
| 65d9c896e56fe8ce8da207e57751aa0d | c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe |
| 69b98d275170583cff12158d1ae3e8cd | c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe |
| 01eeedcb4c0289a3f6ac49fdcc0afd8b | c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe |
| ca30d665e90727fac5a9ff1eee4a5b4d | c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe |
| 7f5d3da37b5f8ba7d14f2de36f0d255e | c:\Perl\lib\Mozilla\CA\cacert.pem.exe |
| b4a7ad1aec1da77dbb67be016f3bf018 | c:\totalcmd\TCMADMIN.EXE.exe |
| a59ac5a84d6c15877d5ddc9e2edb069a | c:\totalcmd\TCMDX32.EXE.exe |
| 31069a1843babd46c6e514db08b8406c | c:\totalcmd\TCUNINST.EXE.exe |
| c10e4220bd0b16e5cfd2c9c0796bcf32 | c:\totalcmd\TOTALCMD.EXE.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 466944 | 466432 | 5.50877 | 3b058105660d604a8c0f1b0de354e9f6 |
| .rdata | 471040 | 4096 | 512 | 1.32331 | 6654d0c9bc875707d345c9bd9dca1fb8 |
| .data | 475136 | 351 | 512 | 3.1558 | accb4838cf51ac5f04fe7eaf6ce2276b |
| .rsrc | 479232 | 4444 | 4608 | 4.0095 | 2c2699f8c0295232ea81c37564325bc7 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
cscript.exe:1164
cscript.exe:1160
cscript.exe:1952
cscript.exe:576
cscript.exe:1088
cscript.exe:1944
cscript.exe:1928
cscript.exe:1948
cscript.exe:1836
cscript.exe:1424
cscript.exe:1584
cscript.exe:656
cscript.exe:1252
cscript.exe:324
cscript.exe:1016
cscript.exe:360
cscript.exe:2012
cscript.exe:308
cscript.exe:1092
cscript.exe:772
cscript.exe:564
cscript.exe:588
cscript.exe:608
cscript.exe:244
cscript.exe:260
cscript.exe:240
cscript.exe:1888
cscript.exe:1880
cscript.exe:1932
cscript.exe:968
cscript.exe:1820
cscript.exe:1472
cscript.exe:2000
cscript.exe:1388
cscript.exe:1012
cscript.exe:1100
cscript.exe:512
cscript.exe:516
%original file name%.exe:1164
%original file name%.exe:620
%original file name%.exe:1300
%original file name%.exe:1908
%original file name%.exe:1144
%original file name%.exe:624
%original file name%.exe:572
%original file name%.exe:316
%original file name%.exe:552
%original file name%.exe:1920
%original file name%.exe:404
%original file name%.exe:448
%original file name%.exe:1924
%original file name%.exe:276
%original file name%.exe:856
%original file name%.exe:1980
%original file name%.exe:1852
%original file name%.exe:884
%original file name%.exe:1960
%original file name%.exe:1856
%original file name%.exe:956
%original file name%.exe:1408
%original file name%.exe:1252
%original file name%.exe:368
%original file name%.exe:652
%original file name%.exe:1880
%original file name%.exe:1012
%original file name%.exe:308
%original file name%.exe:1948
%original file name%.exe:1092
%original file name%.exe:616
%original file name%.exe:460
%original file name%.exe:1796
%original file name%.exe:168
%original file name%.exe:480
%original file name%.exe:1284
%original file name%.exe:1804
%original file name%.exe:1640
%original file name%.exe:1724
%original file name%.exe:1768
%original file name%.exe:1388
%original file name%.exe:412
%original file name%.exe:1668
%original file name%.exe:1384
%original file name%.exe:1740
%original file name%.exe:820
%original file name%.exe:1368 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7726 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (2321 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (3073 bytes)
C:\totalcmd\TCUNINST.EXE.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (2321 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (30812 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (2321 bytes)
C:\totalcmd\TcUsbRun.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\KAAo.txt (59668 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3073 bytes)
C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5441 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zeMYwsYI.bat (112 bytes)
C:\ccf5b7f833da259f527f88aeb3fc4819 (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hOokEIwE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mosYYQQQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vuAQQIEU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ekoUIEwg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kUcIMsAM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSoUossM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FQgsccwM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SOoAQkcI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UwooUokY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DsIIIIEc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SWAwkkUQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SwMcMIkg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wscgEEEk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dsYoMMsM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OqsgQEkU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\haIkQEUI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nCQgcsAE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iQwEIwEc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qgAAoMsM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kakocwYI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\caocwsQk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GmMgggko.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WckcooIQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sUocIUEw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jasYQokc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yusAkMok.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FuwEIoIM.bat (112 bytes)
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3825 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (3921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUoYggMk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yaYMoMQY.bat (112 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (3849 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pCoQkgQU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rykgwcIs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jWMIMcEM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sMoMEsME.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KcUEAIEQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WwsMMMos.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HYYcwwME.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sWMYEcwM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CYgYUYMc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XiosYowU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BuYIMIko.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kYkMkkwM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JmIUkQwk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uKAMwUss.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KOgsoMoI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XUswkAow.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KOcMYYoM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dwAQkoMI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SsIIIEYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LQoIMMYg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NWwwIYUc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CmEcsIww.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IowEgUsc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xCEsoIUw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uWQIAUgg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qYMQkEck.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qIQYEscE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UKgoAcEc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gkckQYQo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xgskkMUM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fGkMMwoY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AiccQkgg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lgEkgAww.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rsMsYogA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cMEMwEAM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eegIUkAI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tGcQEUoY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSocIsYI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JuIkcYMU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsUowAwI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EgIUIsMQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fYYcQIYQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ccUwgwoQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UoYMkwsk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dQoQIMAM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zEAAsYQU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YkowIEkw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OCgEoIIg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YQEIgcgk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NMYEcgAs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\emMMMAkk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RYocEYkk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yCAIocMI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tyoIUcYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GOoQEEkY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GQgIEYEs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ewwwssgY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mKsYcwAU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fEYoAQso.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lCsYgcsg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QUUkgAII.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TyYEUwEw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\owcUUgck.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KWQAQYkE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LyQoAkwk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qwwUYYEY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\osYgoMws.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NMgcsUUM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OgkcUgUQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yOwcAsUg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XQkogQgM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\owgEMgcM.bat (112 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe" - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
