Gen.Trojan.Heur.TP.ntWbmSScmbi_3ff310bcb9
UDS:DangerousObject.Multi.Generic (Kaspersky), Gen:Trojan.Heur.TP.ntW@bmSScmbi (B) (Emsisoft), Gen:Trojan.Heur.TP.ntW@bmSScmbi (AdAware), ZeroAccess.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 3ff310bcb9359a384061ef12a31ea9de
SHA1: cfc1caccad9a62e8000b989dcef9f0d03a51c9d1
SHA256: d999dacab9cdc09826c67f23125dad2fbf5eaeaa68b8fe3fe705da0480ae8d81
SSDeep: 98304:1Xz udBmYLotgiXK0TW3NoZo9LQKOlkr1:1D ur3LaVToL9OC
Size: 3362816 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-06 02:36:08
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
cscript.exe:1788
cscript.exe:1304
cscript.exe:1140
cscript.exe:212
cscript.exe:1780
cscript.exe:1300
cscript.exe:492
cscript.exe:1948
cscript.exe:1836
cscript.exe:1076
cscript.exe:1072
cscript.exe:344
cscript.exe:544
cscript.exe:1376
cscript.exe:1520
cscript.exe:548
cscript.exe:284
cscript.exe:1672
cscript.exe:2012
cscript.exe:1792
cscript.exe:1152
cscript.exe:260
cscript.exe:1952
cscript.exe:364
cscript.exe:928
cscript.exe:828
cscript.exe:824
cscript.exe:372
cscript.exe:376
cscript.exe:1080
cscript.exe:1920
cscript.exe:1484
cscript.exe:1716
cscript.exe:1256
cscript.exe:520
cscript.exe:1016
cscript.exe:1236
cscript.exe:304
cscript.exe:380
cscript.exe:1932
cscript.exe:1252
cscript.exe:1936
cscript.exe:1436
cscript.exe:900
cscript.exe:1432
cscript.exe:788
cscript.exe:1536
cscript.exe:644
cscript.exe:1224
cscript.exe:572
cscript.exe:1344
cscript.exe:332
cscript.exe:252
cscript.exe:1900
cscript.exe:1632
cscript.exe:1980
cscript.exe:1500
cscript.exe:1036
cscript.exe:500
cscript.exe:636
cscript.exe:1596
cscript.exe:1864
cscript.exe:280
cscript.exe:780
cscript.exe:868
cscript.exe:1620
cscript.exe:1028
cscript.exe:2024
cscript.exe:1104
cscript.exe:816
cscript.exe:1452
cscript.exe:408
cscript.exe:728
cscript.exe:604
cscript.exe:1160
cscript.exe:1168
cscript.exe:552
cscript.exe:232
cscript.exe:1240
cscript.exe:1964
cscript.exe:1196
cscript.exe:2036
cscript.exe:1112
cscript.exe:2032
cscript.exe:1176
cscript.exe:776
cscript.exe:612
cscript.exe:1272
cscript.exe:616
cscript.exe:1276
cscript.exe:1288
cscript.exe:792
cscript.exe:1608
cscript.exe:1040
cscript.exe:1044
cscript.exe:1604
cscript.exe:940
cscript.exe:1472
cscript.exe:476
cscript.exe:2004
cscript.exe:2008
cscript.exe:1368
%original file name%.exe:1304
%original file name%.exe:1140
%original file name%.exe:1300
%original file name%.exe:212
%original file name%.exe:492
%original file name%.exe:1948
%original file name%.exe:268
%original file name%.exe:1076
%original file name%.exe:624
%original file name%.exe:1072
%original file name%.exe:340
%original file name%.exe:544
%original file name%.exe:280
%original file name%.exe:284
%original file name%.exe:816
%original file name%.exe:2012
%original file name%.exe:1792
%original file name%.exe:1796
%original file name%.exe:1152
%original file name%.exe:264
%original file name%.exe:1228
%original file name%.exe:1016
%original file name%.exe:520
%original file name%.exe:1824
%original file name%.exe:1064
%original file name%.exe:828
%original file name%.exe:824
%original file name%.exe:372
%original file name%.exe:376
%original file name%.exe:1532
%original file name%.exe:1920
%original file name%.exe:1480
%original file name%.exe:1484
%original file name%.exe:1716
%original file name%.exe:1256
%original file name%.exe:1520
%original file name%.exe:364
%original file name%.exe:916
%original file name%.exe:584
%original file name%.exe:1232
%original file name%.exe:1336
%original file name%.exe:304
%original file name%.exe:1984
%original file name%.exe:588
%original file name%.exe:380
%original file name%.exe:1932
%original file name%.exe:1252
%original file name%.exe:1436
%original file name%.exe:1432
%original file name%.exe:788
%original file name%.exe:848
%original file name%.exe:1240
%original file name%.exe:1244
%original file name%.exe:436
%original file name%.exe:1220
%original file name%.exe:332
%original file name%.exe:252
%original file name%.exe:1900
%original file name%.exe:1632
%original file name%.exe:852
%original file name%.exe:1988
%original file name%.exe:1500
%original file name%.exe:652
%original file name%.exe:1036
%original file name%.exe:500
%original file name%.exe:1216
%original file name%.exe:1596
%original file name%.exe:1864
%original file name%.exe:780
%original file name%.exe:220
%original file name%.exe:1992
%original file name%.exe:1028
%original file name%.exe:2024
%original file name%.exe:1672
%original file name%.exe:1452
%original file name%.exe:728
%original file name%.exe:1512
%original file name%.exe:1164
%original file name%.exe:604
%original file name%.exe:1160
%original file name%.exe:552
%original file name%.exe:232
%original file name%.exe:1964
%original file name%.exe:1196
%original file name%.exe:1568
%original file name%.exe:2032
%original file name%.exe:644
%original file name%.exe:1176
%original file name%.exe:776
%original file name%.exe:612
%original file name%.exe:1608
%original file name%.exe:1040
%original file name%.exe:1044
%original file name%.exe:1976
%original file name%.exe:940
%original file name%.exe:1472
%original file name%.exe:356
%original file name%.exe:476
%original file name%.exe:2004
%original file name%.exe:1368
%original file name%.exe:804
The Trojan injects its code into the following process(es):
NesIMIQs.exe:1676
fGAwoYMM.exe:1332
reIEcoQI.exe:580
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process NesIMIQs.exe:1676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (2321 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (2321 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (30812 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7726 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (2321 bytes)
C:\totalcmd\TCUNINST.EXE.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (2321 bytes)
C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (3361 bytes)
C:\totalcmd\TcUsbRun.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5441 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (2321 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
The process %original file name%.exe:1304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sWMwEIUg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RekYQIws.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSsAwoYQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uksEIAgk.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RekYQIws.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSsAwoYQ.bat (0 bytes)
The process %original file name%.exe:1140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QuQEUYcQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ekoUUMsA.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QuQEUYcQ.bat (0 bytes)
The process %original file name%.exe:1300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\poYAUQkw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yCMQIcAA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsMoIAsQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JckAwcMs.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsMoIAsQ.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JckAwcMs.bat (0 bytes)
The process %original file name%.exe:212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iskMYogQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kuIgMQAE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hAQMYUsM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iMcIIcEE.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\iMcIIcEE.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kuIgMQAE.bat (0 bytes)
The process %original file name%.exe:492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oAUcgscY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vsocQswc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wScwIUEY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iyksEIoo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kmoQYIoo.bat (112 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (52887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QEocwUQI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vsocQswc.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QEocwUQI.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oAUcgscY.bat (0 bytes)
The process %original file name%.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aOIwYkQs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tcAgcMoY.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tcAgcMoY.bat (0 bytes)
The process %original file name%.exe:268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UAYAsMUU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fKIQoMgI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\teoAAQwA.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (52887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fWIUAMMQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LUAIgAws.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AWcsIwsM.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fWIUAMMQ.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AWcsIwsM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\teoAAQwA.bat (0 bytes)
The process %original file name%.exe:1076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\HQIMksMs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YOgEgYgw.bat (112 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (52887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tGYIEMIY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WysEcgsg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gcoQoMgY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EOgIgowI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WysEcgsg.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gcoQoMgY.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EOgIgowI.bat (0 bytes)
The process %original file name%.exe:624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wUEkgMEc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\giUcIQsQ.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\giUcIQsQ.bat (0 bytes)
The process %original file name%.exe:1072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\doEwMUsQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NIkwkkcM.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NIkwkkcM.bat (0 bytes)
The process %original file name%.exe:340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qaYsQUYE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zQYkYIoc.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\zQYkYIoc.bat (0 bytes)
The process %original file name%.exe:544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jWIUEAYg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tWkQsMAc.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tWkQsMAc.bat (0 bytes)
The process %original file name%.exe:280 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\loAMUkUQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hyQAIoYE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YQoUMsEw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UoEMcwIw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hsMYQwIY.bat (112 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (52887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AekkcEMs.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\loAMUkUQ.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AekkcEMs.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hyQAIoYE.bat (0 bytes)
The process %original file name%.exe:284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WQgAgcEM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CoUswgEI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CoUswgEI.bat (0 bytes)
The process %original file name%.exe:816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pkwQYIcQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\igYQMQoE.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\igYQMQoE.bat (0 bytes)
The process %original file name%.exe:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ymQAccsc.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MuoocogU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OUAUMYQs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PIEkoYco.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ymQAccsc.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MuoocogU.bat (0 bytes)
The process %original file name%.exe:1792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bmYsoAoo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CKIgEowA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QQIksUIc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OGogMwQI.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CKIgEowA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QQIksUIc.bat (0 bytes)
The process %original file name%.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XMMgwsQA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OWIsogAk.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\XMMgwsQA.bat (0 bytes)
The process %original file name%.exe:1152 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sysUIwsw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XugEIcIE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hmIgwMUg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DoEgoYwI.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\XugEIcIE.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hmIgwMUg.bat (0 bytes)
The process %original file name%.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TyYIEsgs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yuwMYAgk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kMYAYMww.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qIYsEgoc.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TyYIEsgs.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yuwMYAgk.bat (0 bytes)
The process %original file name%.exe:1228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PyUEokgg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DekkoIQk.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DekkoIQk.bat (0 bytes)
The process %original file name%.exe:1016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AoEkoQIw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IiAosIgU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\daUMEAwA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aYcMMgwk.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IiAosIgU.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\daUMEAwA.bat (0 bytes)
The process %original file name%.exe:520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zOEUcEkQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QwUQUUwc.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\zOEUcEkQ.bat (0 bytes)
The process %original file name%.exe:1824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EwEsgUkQ.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GWoYQYYg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IewwEsAc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qEkwQEYE.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EwEsgUkQ.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IewwEsAc.bat (0 bytes)
The process %original file name%.exe:1064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zisgIAUs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xIwYogoA.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\zisgIAUs.bat (0 bytes)
The process %original file name%.exe:828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EqEAEAoc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AgYUsggA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LoEsYAcM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TesEsQII.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EqEAEAoc.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TesEsQII.bat (0 bytes)
The process %original file name%.exe:824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PSQgEEsQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vQgAYcYk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EQwYIQYo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JeQIwsoY.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\PSQgEEsQ.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JeQIwsoY.bat (0 bytes)
The process %original file name%.exe:372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WgcUUkEc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fEkwMAUU.bat (112 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (52887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YsMYwQYg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HCwYQsoM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JagkwAkM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vqkAgEss.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YsMYwQYg.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HCwYQsoM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JagkwAkM.bat (0 bytes)
The process %original file name%.exe:376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LwwYIgQo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lgMIIMYA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iyEAsokM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DuMEMIso.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LwwYIgQo.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lgMIIMYA.bat (0 bytes)
The process %original file name%.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AEwUIQsQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QSoUMYIw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KgogwYMQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zkkssEwo.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\zkkssEwo.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QSoUMYIw.bat (0 bytes)
The process %original file name%.exe:1920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\guUAIcsM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LMcUsUMU.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LMcUsUMU.bat (0 bytes)
The process %original file name%.exe:1480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eUAsQUkM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nWYoQogc.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nWYoQogc.bat (0 bytes)
The process %original file name%.exe:1484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PkkQQYQo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fAAgAMMU.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fAAgAMMU.bat (0 bytes)
The process %original file name%.exe:1716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SisMoMsw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MOgcUEEk.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SisMoMsw.bat (0 bytes)
The process %original file name%.exe:1256 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xwMogkAw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FEAQwwUw.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\FEAQwwUw.bat (0 bytes)
The process %original file name%.exe:1520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aIoQIgUw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RGMgwswY.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RGMgwswY.bat (0 bytes)
The process %original file name%.exe:364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aUgQAAwU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\igUAoIMM.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\igUAoIMM.bat (0 bytes)
The process %original file name%.exe:916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tkkQAgEU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WGocckws.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WGocckws.bat (0 bytes)
The process %original file name%.exe:584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QiwsoMIo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hMAcckEg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WscQkoYg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WYoEwAYo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ngYQIwMQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HcggMswM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\foQMEckw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZAwEUQgk.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (70516 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QiwsoMIo.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZAwEUQgk.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WYoEwAYo.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HcggMswM.bat (0 bytes)
The process %original file name%.exe:1232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wMUYsYkY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JuoYEMAQ.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\wMUYsYkY.bat (0 bytes)
The process %original file name%.exe:1336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WYAsIAYQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ISUcMcsQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tIQIoYsk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GAogAUQI.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ISUcMcsQ.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tIQIoYsk.bat (0 bytes)
The process %original file name%.exe:304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jkskcMUM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cEoocMcs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BUAAQAco.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vIoQAYgk.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cEoocMcs.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BUAAQAco.bat (0 bytes)
The process %original file name%.exe:1984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YYssokMs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TEcIMUgI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TEcIMUgI.bat (0 bytes)
The process %original file name%.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AWsoIAYs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BkUAkgck.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AWsoIAYs.bat (0 bytes)
The process %original file name%.exe:380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oUMUEEAw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lSQwowYM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gYscsQYE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RaYcsgQc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xwsYMwUw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MIwQwkYo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RIEAAEQA.bat (112 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (70516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZEokAQUU.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oUMUEEAw.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RaYcsgQc.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MIwQwkYo.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZEokAQUU.bat (0 bytes)
The process %original file name%.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nIcAQgAE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VIkUcAgM.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nIcAQgAE.bat (0 bytes)
The process %original file name%.exe:1252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NckgsoMA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WkYMIYko.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RCoEAoUA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nKkoswQU.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NckgsoMA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nKkoswQU.bat (0 bytes)
The process %original file name%.exe:1436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aAQgYksc.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PIMcwcoU.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aAQgYksc.bat (0 bytes)
The process %original file name%.exe:1432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WMgccUYU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ocwcMIwM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KyMgMoAg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OgQwYooU.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KyMgMoAg.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OgQwYooU.bat (0 bytes)
The process %original file name%.exe:788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fgsMEsMo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gAMIMwgY.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\gAMIMwgY.bat (0 bytes)
The process %original file name%.exe:848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YGUYYMIA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jakYoIwY.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YGUYYMIA.bat (0 bytes)
The process %original file name%.exe:1240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AEgYEUoM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HiUAUwYU.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\HiUAUwYU.bat (0 bytes)
The process %original file name%.exe:1244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\guAoQcoE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LQMkkUUQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\swwIsEcU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HmMAQkok.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LQMkkUUQ.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\swwIsEcU.bat (0 bytes)
The process %original file name%.exe:436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JcYwcIkY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmkMQgcA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uGQIkswU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAskoIYk.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\uGQIkswU.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JcYwcIkY.bat (0 bytes)
The process %original file name%.exe:1220 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\eccgkYok.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sEcIgEkM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LyggkwMc.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (52887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ImsswskU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nawYcIgY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BooQkEEE.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sEcIgEkM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eccgkYok.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LyggkwMc.bat (0 bytes)
The process %original file name%.exe:332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\roYQwsQc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TCgMYkIA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uyYMUcEs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rkQgIcwM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kUYEEsQs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pqUsUsYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YWYAsYss.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NYkQcQsw.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (70516 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YWYAsYss.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NYkQcQsw.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TCgMYkIA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pqUsUsYM.bat (0 bytes)
The process %original file name%.exe:252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NaUwQMwk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LAIUQkAg.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LAIUQkAg.bat (0 bytes)
The process %original file name%.exe:1900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\igkoUAIc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XaYQIQAE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zOcQUEQY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rqEcskAg.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\igkoUAIc.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XaYQIQAE.bat (0 bytes)
The process %original file name%.exe:1632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lSUIkMQA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UWYEoswg.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UWYEoswg.bat (0 bytes)
The process %original file name%.exe:852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YEoUwAYA.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MQIIooUQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jmswwMok.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KqAAwMMQ.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YEoUwAYA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KqAAwMMQ.bat (0 bytes)
The process %original file name%.exe:1988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vAcQAEgw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IoskcAUY.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vAcQAEgw.bat (0 bytes)
The process %original file name%.exe:1500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dEoEUQwE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\twQcgcco.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dEoEUQwE.bat (0 bytes)
The process %original file name%.exe:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3777 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (3873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tegEIkgM.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (3849 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YgwwIwkU.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tegEIkgM.bat (0 bytes)
The process %original file name%.exe:1036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sGgQooAs.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wYwogMEA.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sGgQooAs.bat (0 bytes)
The process %original file name%.exe:500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RqEUgkME.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yiIUQokg.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RqEUgkME.bat (0 bytes)
The process %original file name%.exe:1216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lqIwsMYs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jcwUEQIo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IqMsgoQU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jAcYkEsE.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\lqIwsMYs.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jcwUEQIo.bat (0 bytes)
The process %original file name%.exe:1596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nKwcgQQA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DKUwEQso.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TYkkgQow.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Hiwggwgo.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TYkkgQow.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Hiwggwgo.bat (0 bytes)
The process %original file name%.exe:1864 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DIksokoU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cGIMYskE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XoIwUEQk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TIUMcMoQ.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DIksokoU.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cGIMYskE.bat (0 bytes)
The process %original file name%.exe:780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KoEwkMUI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GaAMowgU.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GaAMowgU.bat (0 bytes)
The process %original file name%.exe:220 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qMkwkQYk.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zEMAgsAw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nkYQUwok.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AmckMYkM.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qMkwkQYk.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nkYQUwok.bat (0 bytes)
The process %original file name%.exe:1992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CcQEEAEM.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EwkQwwgw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kkwoocgs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RoUkEUIc.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CcQEEAEM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kkwoocgs.bat (0 bytes)
The process %original file name%.exe:1028 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XUYMEgMs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qYYwYkME.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XWkIEQMg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\teEYoAYo.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qYYwYkME.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XWkIEQMg.bat (0 bytes)
The process %original file name%.exe:2024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QYssEwAw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kiEsgIkc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xaQwEoUM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sSAwkYks.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YOcwwcsg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jWcwswAE.bat (112 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (52887 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sSAwkYks.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kiEsgIkc.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xaQwEoUM.bat (0 bytes)
The process %original file name%.exe:1672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KGwkUoUE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PcggEksg.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\PcggEksg.bat (0 bytes)
The process %original file name%.exe:1452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WYwMYAQs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NeocgkYQ.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WYwMYAQs.bat (0 bytes)
The process %original file name%.exe:728 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ACAMkkss.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aaYUYMQY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XGUwQQMk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xEIMAsIg.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ACAMkkss.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aaYUYMQY.bat (0 bytes)
The process %original file name%.exe:1512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TMoUssEQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZkcAooIc.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TMoUssEQ.bat (0 bytes)
The process %original file name%.exe:1164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\awQwUUsU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rugscYQA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TggQsIYU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HAcwgIMU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DcAscwkU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AgQYAwAA.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (52887 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TggQsIYU.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AgQYAwAA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rugscYQA.bat (0 bytes)
The process %original file name%.exe:604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aioMMAkw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\luEkMEgY.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\luEkMEgY.bat (0 bytes)
The process %original file name%.exe:1160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XmEUQUUo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fGssEEAA.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\XmEUQUUo.bat (0 bytes)
The process %original file name%.exe:552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RQEUUoMI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QWcsgYgc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fmMwIcoA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MWMosYQY.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RQEUUoMI.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QWcsgYgc.bat (0 bytes)
The process %original file name%.exe:232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\gsEkcsoE.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YYYAkYsA.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\gsEkcsoE.bat (0 bytes)
The process %original file name%.exe:1964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QUgIwMsQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dSAkAUAE.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QUgIwMsQ.bat (0 bytes)
The process %original file name%.exe:1196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bwgosEco.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sKMMEAQs.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bwgosEco.bat (0 bytes)
The process %original file name%.exe:1568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aiIwoUsQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TIowoAsE.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TIowoAsE.bat (0 bytes)
The process %original file name%.exe:2032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nwkQEYoM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vuIMkEMU.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nwkQEYoM.bat (0 bytes)
The process %original file name%.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SagcAEoU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xYYoYEAo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yAUMoUMw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pwssIcgc.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xYYoYEAo.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yAUMoUMw.bat (0 bytes)
The process %original file name%.exe:1176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KuIAIEMs.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imkYUkgo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UsQgoMYI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rUoQsgAs.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KuIAIEMs.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imkYUkgo.bat (0 bytes)
The process %original file name%.exe:776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nKoowUsc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YkYQQwMo.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nKoowUsc.bat (0 bytes)
The process %original file name%.exe:612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QIwsUwcA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SyoockcM.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SyoockcM.bat (0 bytes)
The process %original file name%.exe:1608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CeskgssA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VSgEgIoI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WOwosocE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rWUkwwkM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yKwsMIIg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jAQwAkMI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jkccUwYA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fAQIAsEA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mCMwQokQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vcIQEMMc.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (105774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ceMUwkgg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eyAQoUsY.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\rWUkwwkM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jAQwAkMI.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jkccUwYA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fAQIAsEA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CeskgssA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vcIQEMMc.bat (0 bytes)
The process %original file name%.exe:1040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AYQoQoUA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QSMsEsUI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jiMIsQYg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KEkAoksM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DOQogQIM.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (70516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qOsYMIkU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sAIgAQcs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NIcQEoUE.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qOsYMIkU.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KEkAoksM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AYQoQoUA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DOQogQIM.bat (0 bytes)
The process %original file name%.exe:1044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NuwoMoYo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\duUQcQkg.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NuwoMoYo.bat (0 bytes)
The process %original file name%.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vgsMsYog.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AUEUkIoM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\suwwIwgk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yykYQIsQ.bat (112 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (52887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kkoQoMUI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lUEMgkEY.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\suwwIwgk.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kkoQoMUI.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AUEUkIoM.bat (0 bytes)
The process %original file name%.exe:940 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HAcckEUs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FAwkkIcE.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\HAcckEUs.bat (0 bytes)
The process %original file name%.exe:1472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OGUYwoks.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fuoAgYQE.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fuoAgYQE.bat (0 bytes)
The process %original file name%.exe:356 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QOUkMUos.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CuYggYYc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HYUgEQks.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HasgUckc.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QOUkMUos.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CuYggYYc.bat (0 bytes)
The process %original file name%.exe:476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nqYQYggU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eYkwYgkA.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\eYkwYgkA.bat (0 bytes)
The process %original file name%.exe:2004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XSoEUAcI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kaIwIsAI.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\XSoEUAcI.bat (0 bytes)
The process %original file name%.exe:1368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vioskAgk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uioEYkEA.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\uioEYkEA.bat (0 bytes)
The process %original file name%.exe:804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OqcwMIMk.bat (4 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DqkMIIoo.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OqcwMIMk.bat (0 bytes)
Registry activity
The process NesIMIQs.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 05 B3 B2 D7 3C 3E 29 E7 9A 19 D3 F8 1D 8D 4E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process fGAwoYMM.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 4C 25 07 DE A3 35 0B 2C 2F 97 4F 98 77 DE 90"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
The process reIEcoQI.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 C6 4A F7 FA AF 11 76 8E E0 25 44 4A 2F 57 EC"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process cscript.exe:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 CE A2 82 96 A3 E0 56 DA FE F3 39 7A 2B F7 CF"
The process cscript.exe:1304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 E9 A7 89 BE 9B EA 86 E6 DC 0D CC 1F F0 B9 78"
The process cscript.exe:1140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 EE 27 10 D6 CE A6 5B 1F 3B 83 8E C7 28 BF F5"
The process cscript.exe:212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 DD BC 87 C6 E5 A8 C0 0F D4 62 BF 08 D5 F4 D2"
The process cscript.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 1E 9C E9 E8 BD FD 4A B8 D5 9E 34 F4 2B E4 21"
The process cscript.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 5E EB 36 FA 16 FC B0 7C AF C9 52 46 2B 9F 7F"
The process cscript.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 61 60 7E 54 81 12 13 1C C6 39 61 62 C1 9A 72"
The process cscript.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 B9 6A 3B 1E 96 83 87 52 E7 1F 0B 50 82 0F 71"
The process cscript.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 5A 2C 6D DF 75 B3 3A A7 3C 31 E6 F9 99 87 17"
The process cscript.exe:1076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 EB BC 30 DE 3F 0A 24 4F 5D 33 39 8A 5B 99 CD"
The process cscript.exe:1072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 46 29 E9 0A BB 1A 4E 11 84 41 D6 99 48 D5 2E"
The process cscript.exe:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 60 37 C7 C6 AD 2E 2F D2 1D 95 06 D4 62 65 BE"
The process cscript.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 40 46 78 78 E2 E7 2E DC 3A 43 42 B7 44 C6 98"
The process cscript.exe:1376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 22 82 B0 98 11 D1 A1 D9 CA 96 9A E9 2F 5C E2"
The process cscript.exe:1520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 F8 24 02 47 F9 5A DA 56 37 D5 6C 01 1F 65 95"
The process cscript.exe:548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 3B 04 47 63 3A 9C 4D 8A 74 77 F9 91 A7 B0 9C"
The process cscript.exe:284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 8B 78 53 BB 54 05 95 AD FC 31 F7 4C 05 80 CE"
The process cscript.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A F9 80 E0 78 C9 FE 3B 0E 17 B7 DD F7 36 7A 2E"
The process cscript.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 11 3A 33 56 01 59 AB B7 D2 A5 E5 A1 B0 FC C2"
The process cscript.exe:1792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 8A 32 38 71 F5 36 BD 62 A9 48 78 26 A7 95 A5"
The process cscript.exe:1152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 DF 2B E1 DD 3B 67 F2 E5 7D 0E A7 B0 54 EA 73"
The process cscript.exe:260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 D6 2F 90 12 20 FE 38 BE 9C F7 D4 3A FA A6 BF"
The process cscript.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 25 FE 9B 5C 5D 64 8E 4B 27 F3 6A 35 D7 1D 2B"
The process cscript.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 D7 49 67 B0 9F C0 56 C4 0B 14 3A 77 5E 3C 77"
The process cscript.exe:928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 EA 96 3F E5 EF ED 92 E4 E8 BB 43 C5 84 A9 D7"
The process cscript.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 3C A1 E2 94 6F 15 64 DD 21 28 99 B8 40 D5 D3"
The process cscript.exe:824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 37 3F D8 ED 20 5D D0 BD 4E D0 A0 D5 92 0C 7A"
The process cscript.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E C4 F6 96 17 8C 96 8E 4C 8C 04 27 8D C6 DE 3A"
The process cscript.exe:376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 F9 56 C1 8C FE E9 6D 27 6D D5 8A 72 B4 B6 12"
The process cscript.exe:1080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 25 69 11 47 C7 99 38 7E D1 E2 BF 2D 49 BC F3"
The process cscript.exe:1920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 04 D8 DB A7 61 4D A5 F3 90 8C CA D5 AB 3F C6"
The process cscript.exe:1484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 CA 4D CC A2 41 24 FD 17 BB EE 6B 1C 6B 61 9F"
The process cscript.exe:1716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 80 E6 13 02 D2 5B 44 82 BB A6 14 E5 56 C2 CB"
The process cscript.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 33 F3 F9 BA 1B EC D7 0C 57 DD 0E 21 E7 3E 27"
The process cscript.exe:520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 F8 EC B3 08 1B B3 AA F9 CD 99 2C 5C 1E 22 46"
The process cscript.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 6B 51 C5 19 05 B8 C3 CD 0F F2 DB ED 38 49 96"
The process cscript.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 73 94 C8 FA B2 5D 13 8F AF 28 AB 66 55 E6 19"
The process cscript.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 A8 71 E9 C5 FE D4 2A 38 6C 7F C7 FC 2F AD A7"
The process cscript.exe:380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 4E 58 E8 4B 0D 7F 5A 65 9D FB AA EC AD CC 77"
The process cscript.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 2B DC 25 F0 31 FC 78 67 4F 39 86 9F 90 40 03"
The process cscript.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 AC 57 CA 31 92 C3 66 7F C0 C0 F7 09 72 8A 66"
The process cscript.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D AD C1 8F 79 FA F8 B4 04 27 DD 8A 11 7A 17 32"
The process cscript.exe:1436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 9A D1 19 E2 A4 C5 0B 5D 03 80 4E 27 F7 73 5E"
The process cscript.exe:900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 78 46 54 9D 25 B3 CE 6E 7B 75 B3 15 AE B6 E0"
The process cscript.exe:1432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 75 1E 59 75 BE AF 27 84 98 1A 52 A6 02 AE EE"
The process cscript.exe:788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 1A EE 44 52 75 6A 5F 25 52 7C 33 65 D2 9B 55"
The process cscript.exe:1536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 67 F1 61 19 8C 0F 2D 7F 16 5A EF 06 B5 B9 B9"
The process cscript.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 9F F6 87 C2 8D C6 71 ED 53 E7 7F 18 67 73 32"
The process cscript.exe:1224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 B4 03 4C 70 6C 02 C7 9E 42 B3 9A BE A0 8A 12"
The process cscript.exe:572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 5F B4 D8 E2 E2 85 19 BC 8E 31 76 4A 98 6B DB"
The process cscript.exe:1344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 10 28 99 FC 67 24 CA 2F 2B 3A 8C 09 BC 62 CF"
The process cscript.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 54 41 C9 53 75 AA 6F F9 64 8F 0B E0 C1 29 AF"
The process cscript.exe:252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 3E 70 FD AF AE D7 A9 4F CD 30 5B 1D 0A 1A C1"
The process cscript.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 12 BE 99 70 75 1B 4F 75 9F 4E 76 75 47 B1 79"
The process cscript.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 50 FC 19 19 74 89 38 E3 5C 5C 80 70 A4 96 CF"
The process cscript.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 C1 6B EC 4F 35 EA 25 0F A5 40 E7 77 D4 8B 14"
The process cscript.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 76 8B E8 F5 4E 42 BF 93 25 14 C6 57 DE 5D 0F"
The process cscript.exe:1036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 B2 03 1C 4B A0 BB DB 52 F0 30 4B AC D5 8B 47"
The process cscript.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 C8 65 CC C1 DF F4 E5 37 D8 7A AD EF B9 47 4D"
The process cscript.exe:636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 0F 81 4C 90 AB 61 A3 92 F5 4F F1 95 9A 6D 90"
The process cscript.exe:1596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 EC A5 7F 6B F3 3D AA EE 90 2B AC AC 31 77 3E"
The process cscript.exe:1864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 7C 29 DD A9 EF AE 7D C2 D5 9A 1D 79 87 59 59"
The process cscript.exe:280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 BE 24 51 DC 58 95 C0 35 08 97 66 DC A9 69 44"
The process cscript.exe:780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 40 4D AC 61 E0 61 52 86 2A 86 25 75 FB CE 85"
The process cscript.exe:868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 7C 0C CD 7F EC C5 FA 9C AB 31 7B B9 09 FC 6C"
The process cscript.exe:1620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 E9 50 90 00 72 88 1F 61 0C DF F2 D6 44 46 1F"
The process cscript.exe:1028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 E1 42 E9 9D CB 05 1A E9 2C 80 F1 2D EE 02 78"
The process cscript.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 89 BF F7 AC 5E 71 D1 42 49 36 7D 2A 71 6F E6"
The process cscript.exe:1104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 1C 81 71 11 EB C2 5D D8 98 8F 00 59 8A 79 98"
The process cscript.exe:816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F ED 55 2D 88 B5 41 7F 44 70 2C E0 DD 3E 3C 52"
The process cscript.exe:1452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 65 1B 7F B5 1F CA BC F9 D5 08 6B F8 CE A8 3D"
The process cscript.exe:408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 AB B1 CA 56 11 82 8B CF A6 04 81 7A F0 2E B6"
The process cscript.exe:728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 58 51 4E 45 A3 7D 1A C1 E8 C3 19 D5 B8 40 90"
The process cscript.exe:604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 CA 4E 30 D4 E4 52 1A 7F 9F D8 39 7D 76 35 59"
The process cscript.exe:1160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D B8 C8 14 6A 63 AA 92 BA 65 20 1D D9 68 2D 2F"
The process cscript.exe:1168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE AF 8C B4 97 C4 7D 85 30 9E 9D 30 F1 FF 3A 6B"
The process cscript.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 27 6A 44 5A 9E D2 40 1A 3B AD 1B 1A B3 20 63"
The process cscript.exe:232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 4C 66 34 6D 43 6F F4 E9 9D E8 75 68 29 15 0D"
The process cscript.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 B9 FC 4F F0 93 1D 61 3A C1 76 8C 22 7A 92 16"
The process cscript.exe:1964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 FB F3 8B F5 1F 90 04 5A 23 90 98 41 BE AF 5E"
The process cscript.exe:1196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 3D 16 A8 7A 1E 0E 1B 04 BC 52 C1 7D F9 AA AB"
The process cscript.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA E9 98 87 43 1C 5A 09 07 C1 93 74 8E A1 8A AD"
The process cscript.exe:1112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 6D 39 96 60 26 8C A5 26 C0 A0 42 08 20 4A 32"
The process cscript.exe:2032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 22 B2 61 89 A3 18 73 01 53 3E E3 1B C3 45 68"
The process cscript.exe:1176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 4B CC 87 12 EB 59 CD 43 D6 0F 62 CA 3F 4F F4"
The process cscript.exe:776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 25 FA 1F F3 15 63 C4 3C AF 5F 50 2B 75 5E 62"
The process cscript.exe:612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 80 7B 63 87 60 E3 10 2E B4 E9 F9 C2 6B E8 53"
The process cscript.exe:1272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 BA 65 DF B7 DD F7 6B 7B 35 10 35 71 43 45 46"
The process cscript.exe:616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 77 8D 8E 92 12 95 9C BA 7A 44 8D 3E AD 6F E1"
The process cscript.exe:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 A7 30 A3 75 17 D4 57 91 57 C6 8C 8B 32 3D 47"
The process cscript.exe:1288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 60 40 76 75 96 19 B5 85 68 8E 8D BB 93 46 BF"
The process cscript.exe:792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB C1 BA 1D 8B A3 2C 93 14 1E D3 7D C3 4D 34 BC"
The process cscript.exe:1608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 40 89 8D D7 9E F8 00 14 01 BC CA 47 47 D9 07"
The process cscript.exe:1040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 63 84 97 ED 25 0E FE 9F D9 98 87 A1 7D 53 E2"
The process cscript.exe:1044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 C4 99 3E 97 DC AF 98 85 10 E7 03 CE 32 28 BB"
The process cscript.exe:1604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 E4 BE 06 5F 6E 6E 46 E1 2F 8C 2F A7 EA 89 54"
The process cscript.exe:940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 92 4F CE 8A C7 EF D1 92 22 02 48 D1 39 6E 70"
The process cscript.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 72 30 ED 46 CD 65 D4 09 37 83 DB 31 5D 5A 7F"
The process cscript.exe:476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 17 FB 79 C5 EB 03 B1 3F 20 F0 AE 1E 2F 90 7F"
The process cscript.exe:2004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 C4 91 65 4B 1D 69 D9 0D 45 DF E9 AB AD AB D3"
The process cscript.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 67 0A C1 CC E1 15 E9 F1 AD 9B AE 31 A5 EF 14"
The process cscript.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF E2 F3 89 A4 53 0A A6 1E 87 14 03 5D AF B2 C2"
The process %original file name%.exe:1304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 E9 A8 E8 55 59 59 9A 11 A3 31 FF 97 E7 82 7F"
The process %original file name%.exe:1140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 53 76 9F B1 36 D7 08 6D 96 EB B7 CC 6D 45 27"
The process %original file name%.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 9C 6D 43 89 B0 CF 2E 21 57 FF 97 4D 52 FD 9F"
The process %original file name%.exe:212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 F8 B7 D7 C7 B2 CB 8C 5F 7B 70 62 F0 CF 13 BC"
The process %original file name%.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 09 95 55 A7 02 AB FA 4F 57 F7 0C 83 08 02 C6"
The process %original file name%.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 50 04 F7 4A FA 84 62 50 58 A6 A6 51 2C 32 12"
The process %original file name%.exe:268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 FF 09 D7 D8 41 B9 14 1F 6A 44 8F 36 31 00 06"
The process %original file name%.exe:1076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 A6 6E D3 84 F3 4E B6 CA 8A 3C 39 C1 FE 77 98"
The process %original file name%.exe:624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 78 BB FC 83 D4 A5 21 1C E7 1E 69 22 67 A2 E5"
The process %original file name%.exe:1072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 03 64 6C 8D 63 9F E0 EE 24 53 D2 A2 53 70 45"
The process %original file name%.exe:340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 02 1C 41 D3 18 62 E2 A6 F5 81 15 8D CA D8 B6"
The process %original file name%.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 7F FE 4E 40 B0 22 EB B1 96 54 A7 48 E8 2B E4"
The process %original file name%.exe:280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 D9 03 71 CB 27 BB D5 19 5A 06 20 EE 73 84 E7"
The process %original file name%.exe:284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 05 A2 03 3C 27 F6 1A 13 89 3C 40 59 E5 6B 7D"
The process %original file name%.exe:816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 0F FC F9 A6 4F 24 7C 1A D1 C1 E0 C5 0E BE 53"
The process %original file name%.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 CE 58 01 2A F1 7D 6C 6D E2 23 0C 83 86 5F 70"
The process %original file name%.exe:1792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 56 24 05 51 4A 6E FF 8B 24 58 99 B7 14 CE 21"
The process %original file name%.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 DE 12 B5 71 5E D0 17 B5 4F 48 A0 A9 E4 32 A0"
The process %original file name%.exe:1152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D E2 54 E0 B8 7C 08 8B D0 34 95 F4 A4 42 73 7E"
The process %original file name%.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D A9 EF 34 7D D3 95 65 85 A9 17 4D 0F 00 2F B4"
The process %original file name%.exe:1228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 3B 56 F0 4E 54 AF 19 75 0C 05 CF D0 CE F2 12"
The process %original file name%.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 F6 1D 85 BD 08 68 88 63 0F 1F E7 1E B8 6F 29"
The process %original file name%.exe:520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 CE ED 49 73 1F 25 96 D5 D9 03 C5 C7 B2 E5 68"
The process %original file name%.exe:1824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 0E 9B 05 2A 4E 49 5A 90 30 AC 89 39 32 91 BD"
The process %original file name%.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 3E 55 6E 71 62 C8 D9 CF C1 80 83 A7 4A 19 D3"
The process %original file name%.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 CF 24 00 B6 A5 5C CF 91 A0 50 3B AF E3 1D E7"
The process %original file name%.exe:824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD E7 B9 ED 14 6D 06 C9 8C FF EB 51 9A D5 3B 59"
The process %original file name%.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 C6 B5 6D 34 DA F2 72 BF 59 32 2D 2B 13 F9 FB"
The process %original file name%.exe:376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 CC FB 10 3F E3 7F 46 6B C6 C7 27 29 CF D0 DB"
The process %original file name%.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 2D 2A 54 D3 93 B0 5A D7 13 8A 55 E8 8D 22 B3"
The process %original file name%.exe:1920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 FB 67 1F AD 67 72 FA 2D 8F 99 D9 66 85 C8 D9"
The process %original file name%.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 51 2E 82 95 BE B2 51 A3 30 20 48 49 BE E1 B6"
The process %original file name%.exe:1484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 F3 E7 7C 18 B1 80 1B 57 71 F5 80 54 A9 76 3B"
The process %original file name%.exe:1716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 6F 0C EF DA BD DC 0A 76 2E 84 40 AA 01 56 85"
The process %original file name%.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 22 FB 2E 46 5E 55 AD 22 F2 5C 33 F2 D3 77 CF"
The process %original file name%.exe:1520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 F6 29 B9 F0 EA 9D 7C D8 F3 AA 1E 42 0F 99 3D"
The process %original file name%.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 7C 02 AB 93 0F 36 DF E8 0A FE 5C 2D 29 C4 B5"
The process %original file name%.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C EA 84 29 5F 1D 0F C0 90 48 4B 7D EC 99 F0 01"
The process %original file name%.exe:584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 5A B2 20 65 19 AD DF EC 8C 81 EA 31 79 A6 91"
The process %original file name%.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 DF 07 2B 95 A7 B9 CF 5D E8 70 37 7A 99 52 06"
The process %original file name%.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 F3 7A AE E2 E5 3F BD 3F D2 0F 36 B9 3E 55 C7"
The process %original file name%.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 0A E5 15 81 58 4C 4E 67 C8 9A 1A 69 92 E5 BF"
The process %original file name%.exe:1984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 AB 9E 2E BB 56 1C BF F2 11 2C 74 7D A5 48 4E"
The process %original file name%.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 1F 88 DD 81 B2 0F 15 4E 7D 31 2C F4 B8 C3 ED"
The process %original file name%.exe:380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 73 6F FC 6F 06 3E AD E9 32 20 8F 3D D4 01 29"
The process %original file name%.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 04 F8 05 B2 75 B8 06 DF 2E 5F 90 C2 C7 20 FA"
The process %original file name%.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 40 C3 A2 A3 37 64 CF 13 76 98 43 E6 24 B5 6A"
The process %original file name%.exe:1436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 59 EA 66 19 CE 90 B3 13 DF FE 67 2A F1 CD F5"
The process %original file name%.exe:1432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A D5 BD 71 62 28 58 16 98 1B D2 70 A6 33 32 0F"
The process %original file name%.exe:788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 55 FC 00 09 E8 70 A2 6C D9 1B 09 E5 81 63 7B"
The process %original file name%.exe:848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 92 AB A5 4D 08 4D CC CF 76 3F CA 7B CF 4B 11"
The process %original file name%.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 51 E1 DA CB D5 95 01 D9 5C DD C7 46 41 74 D1"
The process %original file name%.exe:1244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 FB 8C 67 51 97 2E D2 22 CB 1A 8E 5D 97 71 1B"
The process %original file name%.exe:436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 F4 BC E3 52 E6 72 76 52 61 DF 7C 09 A7 51 F1"
The process %original file name%.exe:1220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B DF 58 B9 CA 70 45 07 B4 00 37 5D 64 80 A7 DE"
The process %original file name%.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C D8 37 17 20 B1 95 0B E4 90 6F D9 2D 69 6E 5E"
The process %original file name%.exe:252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA B1 1E 3B EA 64 22 A1 37 B7 67 25 B4 3B 1D 97"
The process %original file name%.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 5D 43 EE 36 A9 D6 3F DA E8 EB 36 54 44 A1 A5"
The process %original file name%.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 9A 87 86 D6 74 11 2E 1F 5E 62 5F 98 BE 50 7C"
The process %original file name%.exe:852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE B9 9F A1 A8 CE 53 02 69 0A 41 20 79 5A 67 02"
The process %original file name%.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 BC 30 60 F6 B5 F8 56 D2 C0 EB 84 FF 3C 53 8C"
The process %original file name%.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 96 9B 08 2F 63 9B A1 F2 8C FA 10 67 37 34 AD"
The process %original file name%.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 6F 06 50 63 51 00 81 A0 B6 45 E6 20 5C 8E 78"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process %original file name%.exe:1036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 8E 46 23 40 D6 BF F8 63 0F 65 E9 E8 CD 5D BA"
The process %original file name%.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 01 4A 43 46 17 C1 0B A0 D8 45 B7 53 F8 C5 1B"
The process %original file name%.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D E7 B6 2B 29 7F BC 46 F3 1E 67 85 A7 67 23 AE"
The process %original file name%.exe:1596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 A4 DA 7C 5A 30 A9 DD 37 57 F4 6A 02 EA 90 47"
The process %original file name%.exe:1864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 F0 C3 09 35 FF F9 B4 82 C3 3E C5 18 D9 EE 8F"
The process %original file name%.exe:780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 91 A1 2D 5C BB 1A 42 28 10 F8 B3 FC 72 82 8C"
The process %original file name%.exe:220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 53 2F D8 2A 04 CB F7 47 DD 40 44 CD A1 30 90"
The process %original file name%.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 FE 51 BB 4E B8 A8 E4 4C F3 67 09 FD 19 97 B4"
The process %original file name%.exe:1028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 31 4C 85 07 A0 F7 71 84 C2 D1 2D 99 68 81 00"
The process %original file name%.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 25 9F E7 47 0A 20 C1 59 9A 39 94 33 94 8D 85"
The process %original file name%.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 8C F9 1C 9B 65 1A 5C BC A4 C1 C0 B4 16 9F 03"
The process %original file name%.exe:1452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 4E 70 C7 AE 45 97 FC 85 F3 15 29 CB 59 25 6A"
The process %original file name%.exe:728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 E2 35 3A F5 AC 09 41 F9 1E F7 2A A1 6D F4 22"
The process %original file name%.exe:1512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 A6 3E 71 C6 BA 66 7E 60 43 07 62 87 E0 94 94"
The process %original file name%.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 ED C8 CF B2 39 AE D5 EF 92 C0 EE 65 D5 D5 EC"
The process %original file name%.exe:604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 B4 94 FF D8 AC 69 ED B6 C3 67 AD A4 2E D0 2C"
The process %original file name%.exe:1160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 08 F4 27 C3 1D FC 8C AE 56 52 8D A3 55 70 F0"
The process %original file name%.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 78 9A 4E C0 46 58 A4 E4 3B 99 19 4F 70 22 EF"
The process %original file name%.exe:232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 1B 5C C6 B1 56 1C 3A 4C 2F DD 04 8C 8B 00 73"
The process %original file name%.exe:1964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 2A 71 9C BF 0F 4D A8 76 1A 5D 1F A5 74 0F 99"
The process %original file name%.exe:1196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 AA EE 28 2E 22 2C 53 74 10 59 31 3B 1C FB 6D"
The process %original file name%.exe:1568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB C0 E4 25 10 39 AA D1 8B 5F 34 2C 8D 09 E6 A2"
The process %original file name%.exe:2032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 5A 4F 62 6D 47 0C 2D 3D 33 8E 93 15 5C E3 BF"
The process %original file name%.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 11 7D 82 0B 95 ED B0 26 32 C7 55 9C 00 2D 3C"
The process %original file name%.exe:1176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 3F 67 87 33 7D FB 79 89 B2 55 F8 48 74 13 B2"
The process %original file name%.exe:776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 C2 D6 D9 E0 11 24 8A 98 C2 95 51 C3 C3 6C 66"
The process %original file name%.exe:612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 9F E0 40 70 02 D9 1C E4 8E A8 AC 0E 6A 83 FD"
The process %original file name%.exe:1608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 3C 3E F4 B0 6E FE 2D 17 68 97 21 51 7E D9 F8"
The process %original file name%.exe:1040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 FE C9 90 6F 61 3B 41 44 9E 9A 26 1F 37 FB 35"
The process %original file name%.exe:1044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 6C A7 79 FD 37 E8 95 BE 8A 5F C0 C2 41 E9 65"
The process %original file name%.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A DB A3 FE A1 51 A4 4F 8D 0F C6 C2 89 CC 6F 70"
The process %original file name%.exe:940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 E3 7A B7 9B 09 C2 69 62 BE C8 C5 1E B4 D0 E8"
The process %original file name%.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 78 D9 22 0E 17 83 60 81 7B C6 2E AF 54 CD 99"
The process %original file name%.exe:356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 77 C7 11 C9 3A 4C 7A F1 C1 4E BA D1 15 95 61"
The process %original file name%.exe:476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 6C F1 42 D5 B7 D3 32 C1 7F 1F 98 53 C7 4E 24"
The process %original file name%.exe:2004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 6F 57 B3 C3 DD A9 CA C5 4B 1C D2 D3 69 B4 BB"
The process %original file name%.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 8E 15 F4 D3 86 9A 1C 43 82 C5 45 5E 66 E9 24"
The process %original file name%.exe:804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 0A 15 A6 F0 94 5A BA C9 C4 8D 3F 96 3F 76 5B"
Dropped PE files
| MD5 | File path |
|---|---|
| 367dae0d20d63ef8c438274cd6bec59b | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe |
| 91c0cb7bbe1b09196133ce7ef83ce284 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe |
| 633c8c9a74e4239f63b36826481ed17c | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe |
| d5e7159a0ba9bf66f5a798f7329f1848 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe |
| 3674b0b5e65eb60026ea3347e63b07a9 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe |
| c2b09e1881d3a7448bd3b1133499f381 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe |
| c4168a2d672689e83839ab3c93612a56 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe |
| 8cfe7cb13045eee6cb36f0e6ba60231e | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe |
| 317eecf55acff2c93d0c60b2e99d8ba5 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe |
| 64139608bbf8c74866c295cb97b329e3 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe |
| b8b7e8260829d7190b943098e5c324db | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe |
| f3f213cdc1d6ea6c3ae9004761fafb73 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe |
| b478bba422f873b72699023102986b2e | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe |
| 7ab60bc1eb1ed94ffdd7f507b9514260 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe |
| 754e1fc4d11f4dbfdf4fe4207dad68f2 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe |
| de084d538ef0a44b95179940a4369958 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe |
| a9c1b00013a44f9406025bef1a7382d3 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe |
| 084e5bbbae0b2118f5cb9e520d1a6bbf | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe |
| 000c67abb5c81eed83d9a448333d9aaf | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe |
| 3b589b4d0d0435ec5f56766780ac3f76 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe |
| aa2556fd2712bc937ac991d35059bd4e | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe |
| 63c22897032955f31942133bf5df26ea | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe |
| fb2588dc5c93858c583d97c9b8b7c78a | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe |
| 91bfb628a19b5d13e134ad68ec5ef1d2 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe |
| 542b43b5d25f3872714fe251c77a3e92 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe |
| 2b39449f1d64e097203a79abefb49c2c | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe |
| b26698e339d8f49ccf6c8510ad7076bd | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe |
| 04f70d087b17d5824b592634d6604b24 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe |
| 192c3ae81c6f190901da54fbf9157841 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe |
| 6f32d45211e4249c3d11bc71f1ac7a39 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe |
| cdd73670c49c4646594bc6820b265354 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe |
| 306b5fd86a5ed89c19220cad1d075527 | c:\Documents and Settings\All Users\JuwEIgUE\reIEcoQI.exe |
| 63a1352d4227f7084ae8fe5e204ba3cf | c:\Documents and Settings\All Users\hcYYccwo\NesIMIQs.exe |
| eb38fd751b5ad6b18409b007d446cd6f | c:\Documents and Settings\"%CurrentUserName%"\dUskcAww\fGAwoYMM.exe |
| 93d06beb56c4c3459d8511b5dd4d2a9b | c:\Perl\eg\IEExamples\ie_animated.gif.exe |
| 7ec2a853cfca77f8cbf224b77c5ad77b | c:\Perl\eg\IEExamples\psbwlogo.gif.exe |
| 3b2b5969fa6f3a604e31392f947ee2c1 | c:\Perl\eg\aspSamples\ASbanner.gif.exe |
| c0bf95deee30f4993376e5a20d378861 | c:\Perl\eg\aspSamples\Main_Banner.gif.exe |
| 83d720d099d46423a30492f6790d0c35 | c:\Perl\eg\aspSamples\psbwlogo.gif.exe |
| 95beb11f49ea80a371d12db0fc997273 | c:\Perl\html\images\AS_logo.gif.exe |
| e55da2f5585542741874303e4e13265f | c:\Perl\html\images\PerlCritic_run.png.exe |
| e9b97413bc7de0988219952e053cb7f2 | c:\Perl\html\images\aslogo.gif.exe |
| 801d9d0c4f3beab2fb4724d9443be9f1 | c:\Perl\html\images\ppm_gui.png.exe |
| 7b0d808d2280608c8512afeab9485f63 | c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe |
| b466aa58461993dbc396d054d4adb760 | c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe |
| 1f2fc80783b554b600165f647796b042 | c:\Perl\lib\Devel\NYTProf\js\asc.png.exe |
| 099e05451e57ec63c48ada9848c4f13c | c:\Perl\lib\Devel\NYTProf\js\bg.png.exe |
| 7a304002eee4ad0bfaa3c3f5e19dd6e2 | c:\Perl\lib\Devel\NYTProf\js\desc.png.exe |
| 9d955326b5b0e44db256874914d05516 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe |
| 41095098837aef9c3742a65670f175a0 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe |
| 55c56ecaea13abada2dbe3f53e79710e | c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe |
| 8d9bf422e5eda8b90087fb5aa302b0de | c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe |
| ea0d1ce2fb5c137fdf342cc46ca66902 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe |
| 151ef9765d65e2e1bb5f5b460d050c42 | c:\Perl\lib\Mozilla\CA\cacert.pem.exe |
| 66e68c50c184109efd1f006595734d83 | c:\totalcmd\TCMADMIN.EXE.exe |
| 276f95a6f64f32b95226275021ce7778 | c:\totalcmd\TCMDX32.EXE.exe |
| 7becfa161fa8dedb1b7c789968e82f90 | c:\totalcmd\TCUNINST.EXE.exe |
| 44b78e6bb16c5146a38feee7b5693c6e | c:\totalcmd\TOTALCMD.EXE.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 3354624 | 3353088 | 5.54011 | 2da02d446387451d41a2ae48f4afd887 |
| .rdata | 3358720 | 4096 | 512 | 1.62422 | 0f1e041cf042f9a540c5201fa3a99843 |
| .data | 3362816 | 225 | 512 | 2.87283 | 5499b9b8f78035542bf6034e6b8ef72e |
| .rsrc | 3366912 | 6940 | 7168 | 3.86784 | 7c8872fd466e8c163b1960942102aa6e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| hxxp://google.com/ |  173.194.113.195 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
cscript.exe:1788
cscript.exe:1304
cscript.exe:1140
cscript.exe:212
cscript.exe:1780
cscript.exe:1300
cscript.exe:492
cscript.exe:1948
cscript.exe:1836
cscript.exe:1076
cscript.exe:1072
cscript.exe:344
cscript.exe:544
cscript.exe:1376
cscript.exe:1520
cscript.exe:548
cscript.exe:284
cscript.exe:1672
cscript.exe:2012
cscript.exe:1792
cscript.exe:1152
cscript.exe:260
cscript.exe:1952
cscript.exe:364
cscript.exe:928
cscript.exe:828
cscript.exe:824
cscript.exe:372
cscript.exe:376
cscript.exe:1080
cscript.exe:1920
cscript.exe:1484
cscript.exe:1716
cscript.exe:1256
cscript.exe:520
cscript.exe:1016
cscript.exe:1236
cscript.exe:304
cscript.exe:380
cscript.exe:1932
cscript.exe:1252
cscript.exe:1936
cscript.exe:1436
cscript.exe:900
cscript.exe:1432
cscript.exe:788
cscript.exe:1536
cscript.exe:644
cscript.exe:1224
cscript.exe:572
cscript.exe:1344
cscript.exe:332
cscript.exe:252
cscript.exe:1900
cscript.exe:1632
cscript.exe:1980
cscript.exe:1500
cscript.exe:1036
cscript.exe:500
cscript.exe:636
cscript.exe:1596
cscript.exe:1864
cscript.exe:280
cscript.exe:780
cscript.exe:868
cscript.exe:1620
cscript.exe:1028
cscript.exe:2024
cscript.exe:1104
cscript.exe:816
cscript.exe:1452
cscript.exe:408
cscript.exe:728
cscript.exe:604
cscript.exe:1160
cscript.exe:1168
cscript.exe:552
cscript.exe:232
cscript.exe:1240
cscript.exe:1964
cscript.exe:1196
cscript.exe:2036
cscript.exe:1112
cscript.exe:2032
cscript.exe:1176
cscript.exe:776
cscript.exe:612
cscript.exe:1272
cscript.exe:616
cscript.exe:1276
cscript.exe:1288
cscript.exe:792
cscript.exe:1608
cscript.exe:1040
cscript.exe:1044
cscript.exe:1604
cscript.exe:940
cscript.exe:1472
cscript.exe:476
cscript.exe:2004
cscript.exe:2008
cscript.exe:1368
%original file name%.exe:1304
%original file name%.exe:1140
%original file name%.exe:1300
%original file name%.exe:212
%original file name%.exe:492
%original file name%.exe:1948
%original file name%.exe:268
%original file name%.exe:1076
%original file name%.exe:624
%original file name%.exe:1072
%original file name%.exe:340
%original file name%.exe:544
%original file name%.exe:280
%original file name%.exe:284
%original file name%.exe:816
%original file name%.exe:2012
%original file name%.exe:1792
%original file name%.exe:1796
%original file name%.exe:1152
%original file name%.exe:264
%original file name%.exe:1228
%original file name%.exe:1016
%original file name%.exe:520
%original file name%.exe:1824
%original file name%.exe:1064
%original file name%.exe:828
%original file name%.exe:824
%original file name%.exe:372
%original file name%.exe:376
%original file name%.exe:1532
%original file name%.exe:1920
%original file name%.exe:1480
%original file name%.exe:1484
%original file name%.exe:1716
%original file name%.exe:1256
%original file name%.exe:1520
%original file name%.exe:364
%original file name%.exe:916
%original file name%.exe:584
%original file name%.exe:1232
%original file name%.exe:1336
%original file name%.exe:304
%original file name%.exe:1984
%original file name%.exe:588
%original file name%.exe:380
%original file name%.exe:1932
%original file name%.exe:1252
%original file name%.exe:1436
%original file name%.exe:1432
%original file name%.exe:788
%original file name%.exe:848
%original file name%.exe:1240
%original file name%.exe:1244
%original file name%.exe:436
%original file name%.exe:1220
%original file name%.exe:332
%original file name%.exe:252
%original file name%.exe:1900
%original file name%.exe:1632
%original file name%.exe:852
%original file name%.exe:1988
%original file name%.exe:1500
%original file name%.exe:652
%original file name%.exe:1036
%original file name%.exe:500
%original file name%.exe:1216
%original file name%.exe:1596
%original file name%.exe:1864
%original file name%.exe:780
%original file name%.exe:220
%original file name%.exe:1992
%original file name%.exe:1028
%original file name%.exe:2024
%original file name%.exe:1672
%original file name%.exe:1452
%original file name%.exe:728
%original file name%.exe:1512
%original file name%.exe:1164
%original file name%.exe:604
%original file name%.exe:1160
%original file name%.exe:552
%original file name%.exe:232
%original file name%.exe:1964
%original file name%.exe:1196
%original file name%.exe:1568
%original file name%.exe:2032
%original file name%.exe:644
%original file name%.exe:1176
%original file name%.exe:776
%original file name%.exe:612
%original file name%.exe:1608
%original file name%.exe:1040
%original file name%.exe:1044
%original file name%.exe:1976
%original file name%.exe:940
%original file name%.exe:1472
%original file name%.exe:356
%original file name%.exe:476
%original file name%.exe:2004
%original file name%.exe:1368
%original file name%.exe:804 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (2321 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (2321 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (30812 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7726 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (2321 bytes)
C:\totalcmd\TCUNINST.EXE.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (2321 bytes)
C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (3361 bytes)
C:\totalcmd\TcUsbRun.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5441 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (2321 bytes)
C:\3ff310bcb9359a384061ef12a31ea9de (35258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sWMwEIUg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RekYQIws.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSsAwoYQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uksEIAgk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QuQEUYcQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ekoUUMsA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\poYAUQkw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yCMQIcAA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsMoIAsQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JckAwcMs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iskMYogQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kuIgMQAE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hAQMYUsM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iMcIIcEE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oAUcgscY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vsocQswc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wScwIUEY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iyksEIoo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kmoQYIoo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QEocwUQI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aOIwYkQs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tcAgcMoY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UAYAsMUU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fKIQoMgI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\teoAAQwA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fWIUAMMQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LUAIgAws.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AWcsIwsM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HQIMksMs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YOgEgYgw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tGYIEMIY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WysEcgsg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gcoQoMgY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EOgIgowI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wUEkgMEc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\giUcIQsQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\doEwMUsQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NIkwkkcM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qaYsQUYE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zQYkYIoc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jWIUEAYg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tWkQsMAc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\loAMUkUQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hyQAIoYE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YQoUMsEw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UoEMcwIw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hsMYQwIY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AekkcEMs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WQgAgcEM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CoUswgEI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pkwQYIcQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\igYQMQoE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ymQAccsc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MuoocogU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OUAUMYQs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PIEkoYco.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bmYsoAoo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CKIgEowA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QQIksUIc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OGogMwQI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XMMgwsQA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OWIsogAk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sysUIwsw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XugEIcIE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hmIgwMUg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DoEgoYwI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TyYIEsgs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yuwMYAgk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kMYAYMww.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qIYsEgoc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PyUEokgg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DekkoIQk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AoEkoQIw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IiAosIgU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\daUMEAwA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aYcMMgwk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zOEUcEkQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QwUQUUwc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EwEsgUkQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GWoYQYYg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IewwEsAc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qEkwQEYE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zisgIAUs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xIwYogoA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EqEAEAoc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AgYUsggA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LoEsYAcM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TesEsQII.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PSQgEEsQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vQgAYcYk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EQwYIQYo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JeQIwsoY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WgcUUkEc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fEkwMAUU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YsMYwQYg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HCwYQsoM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JagkwAkM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vqkAgEss.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LwwYIgQo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lgMIIMYA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iyEAsokM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DuMEMIso.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AEwUIQsQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QSoUMYIw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KgogwYMQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zkkssEwo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\guUAIcsM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LMcUsUMU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eUAsQUkM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nWYoQogc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PkkQQYQo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fAAgAMMU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SisMoMsw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MOgcUEEk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xwMogkAw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FEAQwwUw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aIoQIgUw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RGMgwswY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aUgQAAwU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\igUAoIMM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tkkQAgEU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WGocckws.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QiwsoMIo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hMAcckEg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WscQkoYg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WYoEwAYo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ngYQIwMQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HcggMswM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\foQMEckw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZAwEUQgk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wMUYsYkY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JuoYEMAQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WYAsIAYQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ISUcMcsQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tIQIoYsk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GAogAUQI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jkskcMUM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cEoocMcs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BUAAQAco.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vIoQAYgk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YYssokMs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TEcIMUgI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AWsoIAYs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BkUAkgck.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oUMUEEAw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lSQwowYM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gYscsQYE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RaYcsgQc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xwsYMwUw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MIwQwkYo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RIEAAEQA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZEokAQUU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nIcAQgAE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VIkUcAgM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NckgsoMA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WkYMIYko.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RCoEAoUA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nKkoswQU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aAQgYksc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PIMcwcoU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WMgccUYU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ocwcMIwM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KyMgMoAg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OgQwYooU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fgsMEsMo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gAMIMwgY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YGUYYMIA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jakYoIwY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AEgYEUoM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HiUAUwYU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\guAoQcoE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LQMkkUUQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\swwIsEcU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HmMAQkok.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JcYwcIkY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TmkMQgcA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uGQIkswU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAskoIYk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eccgkYok.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sEcIgEkM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LyggkwMc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ImsswskU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nawYcIgY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BooQkEEE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\roYQwsQc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TCgMYkIA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uyYMUcEs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rkQgIcwM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kUYEEsQs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pqUsUsYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YWYAsYss.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NYkQcQsw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NaUwQMwk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LAIUQkAg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\igkoUAIc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XaYQIQAE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zOcQUEQY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rqEcskAg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lSUIkMQA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UWYEoswg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YEoUwAYA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MQIIooUQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jmswwMok.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KqAAwMMQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vAcQAEgw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IoskcAUY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dEoEUQwE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\twQcgcco.bat (112 bytes)
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3777 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (3873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tegEIkgM.bat (4 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (3849 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YgwwIwkU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sGgQooAs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wYwogMEA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RqEUgkME.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yiIUQokg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lqIwsMYs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jcwUEQIo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IqMsgoQU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jAcYkEsE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nKwcgQQA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DKUwEQso.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TYkkgQow.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Hiwggwgo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DIksokoU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cGIMYskE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XoIwUEQk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TIUMcMoQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KoEwkMUI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GaAMowgU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qMkwkQYk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zEMAgsAw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nkYQUwok.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AmckMYkM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CcQEEAEM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EwkQwwgw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kkwoocgs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RoUkEUIc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XUYMEgMs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qYYwYkME.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XWkIEQMg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\teEYoAYo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QYssEwAw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kiEsgIkc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xaQwEoUM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sSAwkYks.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YOcwwcsg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jWcwswAE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KGwkUoUE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PcggEksg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WYwMYAQs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NeocgkYQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ACAMkkss.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aaYUYMQY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XGUwQQMk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xEIMAsIg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TMoUssEQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZkcAooIc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awQwUUsU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rugscYQA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TggQsIYU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HAcwgIMU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DcAscwkU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AgQYAwAA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aioMMAkw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\luEkMEgY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XmEUQUUo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fGssEEAA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RQEUUoMI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QWcsgYgc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fmMwIcoA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MWMosYQY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gsEkcsoE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YYYAkYsA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QUgIwMsQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dSAkAUAE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bwgosEco.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sKMMEAQs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aiIwoUsQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TIowoAsE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nwkQEYoM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vuIMkEMU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SagcAEoU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xYYoYEAo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yAUMoUMw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pwssIcgc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KuIAIEMs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imkYUkgo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UsQgoMYI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rUoQsgAs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nKoowUsc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YkYQQwMo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QIwsUwcA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SyoockcM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CeskgssA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VSgEgIoI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WOwosocE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rWUkwwkM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yKwsMIIg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jAQwAkMI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jkccUwYA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fAQIAsEA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mCMwQokQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vcIQEMMc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ceMUwkgg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eyAQoUsY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AYQoQoUA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QSMsEsUI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jiMIsQYg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KEkAoksM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DOQogQIM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qOsYMIkU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sAIgAQcs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NIcQEoUE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NuwoMoYo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\duUQcQkg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vgsMsYog.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AUEUkIoM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\suwwIwgk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yykYQIsQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kkoQoMUI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lUEMgkEY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HAcckEUs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FAwkkIcE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OGUYwoks.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fuoAgYQE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QOUkMUos.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CuYggYYc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HYUgEQks.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HasgUckc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nqYQYggU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eYkwYgkA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XSoEUAcI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kaIwIsAI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vioskAgk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uioEYkEA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OqcwMIMk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DqkMIIoo.bat (112 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
