Gen.Variant.Kazy.1750_34806dcbe3
HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.1750 (B) (Emsisoft), Gen:Variant.Kazy.1750 (AdAware), Bancos.YR, ZeroAccess.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 34806dcbe3e1df48f5f62f8b3380c55d
SHA1: 17c0708ec04b17934729ca164407dfe0239d5261
SHA256: 69f3074e272a23e656dae7bc2098e8564e7423b27c5dd79b7e695837414fe43a
SSDeep: 12288:CQiILiiEtabcstvz/HB2J1HCs6tdORYfjKPZejl8 xsu9SbSp9348qlWm7W4CZ I:CQiI2idpNTB2 rt9KW8 2qS vJ4Op1n
Size: 1001984 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-07 11:53:36
Analyzed on: WindowsXP SP3 32-bit
Summary:
Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3904
%original file name%.exe:2964
%original file name%.exe:3240
%original file name%.exe:2988
%original file name%.exe:2960
%original file name%.exe:624
%original file name%.exe:312
%original file name%.exe:2844
%original file name%.exe:2636
%original file name%.exe:332
%original file name%.exe:1920
%original file name%.exe:3380
%original file name%.exe:3824
%original file name%.exe:1924
%original file name%.exe:2548
%original file name%.exe:3308
%original file name%.exe:3736
%original file name%.exe:3164
%original file name%.exe:2896
%original file name%.exe:2196
%original file name%.exe:1208
%original file name%.exe:4008
%original file name%.exe:2344
%original file name%.exe:1908
%original file name%.exe:2540
%original file name%.exe:3472
%original file name%.exe:2544
%original file name%.exe:668
%original file name%.exe:3100
%original file name%.exe:3516
%original file name%.exe:3256
%original file name%.exe:2984
%original file name%.exe:656
%original file name%.exe:2380
%original file name%.exe:2268
%original file name%.exe:652
%original file name%.exe:1468
%original file name%.exe:2244
%original file name%.exe:1652
%original file name%.exe:2748
%original file name%.exe:1676
%original file name%.exe:2364
%original file name%.exe:2076
%original file name%.exe:2264
%original file name%.exe:2668
%original file name%.exe:2428
%original file name%.exe:3664
%original file name%.exe:3836
%original file name%.exe:336
%original file name%.exe:2280
%original file name%.exe:3596
%original file name%.exe:3608
%original file name%.exe:304
%original file name%.exe:1932
%original file name%.exe:2856
%original file name%.exe:1048
%original file name%.exe:244
%original file name%.exe:1148
%original file name%.exe:1956
%original file name%.exe:3404
%original file name%.exe:3056
%original file name%.exe:2632
%original file name%.exe:248
%original file name%.exe:644
%original file name%.exe:3880
%original file name%.exe:1644
%original file name%.exe:2640
%original file name%.exe:3540
%original file name%.exe:3448
%original file name%.exe:3564
%original file name%.exe:3152
%original file name%.exe:3500
%original file name%.exe:2492
%original file name%.exe:1288
%original file name%.exe:536
%original file name%.exe:2752
%original file name%.exe:352
%original file name%.exe:2416
%original file name%.exe:296
%original file name%.exe:2376
%original file name%.exe:2104
%original file name%.exe:3820
%original file name%.exe:2148
cscript.exe:1128
cscript.exe:2616
cscript.exe:2736
cscript.exe:212
cscript.exe:3808
cscript.exe:2592
cscript.exe:1080
cscript.exe:1328
cscript.exe:1260
cscript.exe:3060
cscript.exe:3272
cscript.exe:3256
cscript.exe:1908
cscript.exe:2824
cscript.exe:4084
cscript.exe:1896
cscript.exe:3208
cscript.exe:2928
cscript.exe:172
cscript.exe:2940
cscript.exe:2344
cscript.exe:3476
cscript.exe:3644
cscript.exe:3108
cscript.exe:2340
cscript.exe:3380
cscript.exe:2056
cscript.exe:4000
cscript.exe:256
cscript.exe:2224
cscript.exe:3796
cscript.exe:2304
cscript.exe:1944
cscript.exe:3588
cscript.exe:3972
cscript.exe:2684
cscript.exe:1476
cscript.exe:1676
cscript.exe:2364
cscript.exe:3896
cscript.exe:3928
cscript.exe:2500
cscript.exe:2080
cscript.exe:2620
cscript.exe:2456
cscript.exe:2876
cscript.exe:4092
cscript.exe:3384
cscript.exe:2936
cscript.exe:1336
cscript.exe:1796
cscript.exe:3876
cscript.exe:1152
cscript.exe:3708
cscript.exe:2484
cscript.exe:1800
cscript.exe:3648
cscript.exe:3268
cscript.exe:2728
cscript.exe:3176
cscript.exe:3508
cscript.exe:2088
cscript.exe:1636
cscript.exe:2768
cscript.exe:3460
cscript.exe:3036
cscript.exe:2232
cscript.exe:4072
cscript.exe:2108
cscript.exe:3988
cscript.exe:532
cscript.exe:412
cscript.exe:3164
cscript.exe:2164
cscript.exe:2376
cscript.exe:1664
cscript.exe:2536
cscript.exe:1724
cscript.exe:3484
The Trojan injects its code into the following process(es):
fGAwoYMM.exe:1276
reIEcoQI.exe:1564
NesIMIQs.exe:900
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process fGAwoYMM.exe:1276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
The process %original file name%.exe:3904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\FSsoUwUA.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NKUsAggo.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NKUsAggo.bat (0 bytes)
The process %original file name%.exe:2964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sqUYgcIw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MwIgkQQc.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MwIgkQQc.bat (0 bytes)
The process %original file name%.exe:3240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UsccogcU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EQoEIgAQ.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EQoEIgAQ.bat (0 bytes)
The process %original file name%.exe:2988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SSMUEIMI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HsQwsAIc.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\HsQwsAIc.bat (0 bytes)
The process %original file name%.exe:2960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UGEUMkUs.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BmYkcQcU.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\BmYkcQcU.bat (0 bytes)
The process %original file name%.exe:624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EacgAIMA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zoEYUowg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\zoEYUowg.bat (0 bytes)
The process %original file name%.exe:312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TeYMMwgg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iMAosYIA.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TeYMMwgg.bat (0 bytes)
The process %original file name%.exe:2844 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\iekMYAQE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\teIYoYkw.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\teIYoYkw.bat (0 bytes)
The process %original file name%.exe:2636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pqQoMYQY.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lAYkoYUk.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pqQoMYQY.bat (0 bytes)
The process %original file name%.exe:332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\JYcswMAs.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rEkkgMco.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\rEkkgMco.bat (0 bytes)
The process %original file name%.exe:1920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\zIkEkAEo.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GWAkMokI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GWAkMokI.bat (0 bytes)
The process %original file name%.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qWYkIYQY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NiAoUoEY.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NiAoUoEY.bat (0 bytes)
The process %original file name%.exe:3824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sKsEcQYA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\poEYUIog.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sKsEcQYA.bat (0 bytes)
The process %original file name%.exe:1924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MWoEUQkw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pyockIUk.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pyockIUk.bat (0 bytes)
The process %original file name%.exe:2548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LScEAAsQ.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ROgYkAos.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LScEAAsQ.bat (0 bytes)
The process %original file name%.exe:3308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NCsgwkAk.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JmoYIEsE.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NCsgwkAk.bat (0 bytes)
The process %original file name%.exe:3736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YaUckQUE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JoYkUoEg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OikgMAcs.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JyUUIgso.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YaUckQUE.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JyUUIgso.bat (0 bytes)
The process %original file name%.exe:3164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tYkMoAAU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jmEgossI.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jmEgossI.bat (0 bytes)
The process %original file name%.exe:2196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\VYoMIwMs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fUAcIksw.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fUAcIksw.bat (0 bytes)
The process %original file name%.exe:1208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\FgEgMcoc.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xCsEYgMw.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xCsEYgMw.bat (0 bytes)
The process %original file name%.exe:4008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ouMwkoYQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hMosAsEE.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ouMwkoYQ.bat (0 bytes)
The process %original file name%.exe:2344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mkwkIMww.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nUEsoQcg.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mkwkIMww.bat (0 bytes)
The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QugQUcIQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WucEIMQw.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WucEIMQw.bat (0 bytes)
The process %original file name%.exe:2540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\guUYEkgE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NiwAgQQA.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NiwAgQQA.bat (0 bytes)
The process %original file name%.exe:3472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nKYEIggg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WWIMcwcw.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WWIMcwcw.bat (0 bytes)
The process %original file name%.exe:2544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\VOIcsosY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DWEcEMUA.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DWEcEMUA.bat (0 bytes)
The process %original file name%.exe:668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\rUQIIYAg.bat (4 bytes)
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7713 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7737 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7785 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jeUsEoUo.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\rUQIIYAg.bat (0 bytes)
The process %original file name%.exe:3100 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\BgIMAcgc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gQIcYQgQ.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\BgIMAcgc.bat (0 bytes)
The process %original file name%.exe:3516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MkcMssAw.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QewMskQY.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QewMskQY.bat (0 bytes)
The process %original file name%.exe:3256 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OOUskAkg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nAIcYsAg.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OOUskAkg.bat (0 bytes)
The process %original file name%.exe:2984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vUcIUogc.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NMAwkAgw.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vUcIUogc.bat (0 bytes)
The process %original file name%.exe:656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kkUMIscQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EQMIoMsE.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EQMIoMsE.bat (0 bytes)
The process %original file name%.exe:2380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UkUkwAIY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ROQkoogU.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UkUkwAIY.bat (0 bytes)
The process %original file name%.exe:2268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\iwsgAQIo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mUUgwAwk.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\iwsgAQIo.bat (0 bytes)
The process %original file name%.exe:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TysUUcgY.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JOcYQMIs.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\JOcYQMIs.bat (0 bytes)
The process %original file name%.exe:1468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LuoQQIAU.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oGYMYYcQ.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oGYMYYcQ.bat (0 bytes)
The process %original file name%.exe:2244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cUMsUwIA.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgUgYsEc.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pgUgYsEc.bat (0 bytes)
The process %original file name%.exe:1652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\geoUMAUo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pqwMcMYM.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\geoUMAUo.bat (0 bytes)
The process %original file name%.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cIAkgEEU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xIogkMoQ.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xIogkMoQ.bat (0 bytes)
The process %original file name%.exe:1676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hewcUUYk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hkogIkAE.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hkogIkAE.bat (0 bytes)
The process %original file name%.exe:2364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ickwgEcw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uWMUYYAY.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ickwgEcw.bat (0 bytes)
The process %original file name%.exe:2076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mGwkYgIM.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bGYokksA.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mGwkYgIM.bat (0 bytes)
The process %original file name%.exe:2264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xOIUQcMI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dGAwYkII.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xOIUQcMI.bat (0 bytes)
The process %original file name%.exe:2668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\swoYwcIw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dQwIEAcg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dQwIEAcg.bat (0 bytes)
The process %original file name%.exe:2428 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MAsMMkwo.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SQAIIgcI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SQAIIgcI.bat (0 bytes)
The process %original file name%.exe:3664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\COIQksIo.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pqUoEoIU.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pqUoEoIU.bat (0 bytes)
The process %original file name%.exe:3836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ZUMYsokk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CmEgIcQU.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ZUMYsokk.bat (0 bytes)
The process %original file name%.exe:336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmEEAkwM.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CWkcQsww.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CWkcQsww.bat (0 bytes)
The process %original file name%.exe:2280 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OsEgYkcg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JgAQgYck.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\JgAQgYck.bat (0 bytes)
The process %original file name%.exe:3596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EywYsooQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ASQIIgEE.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EywYsooQ.bat (0 bytes)
The process %original file name%.exe:3608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kQUAgocA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QOIYowkA.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QOIYowkA.bat (0 bytes)
The process %original file name%.exe:304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\rUcQkwIk.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hGIAYYQs.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hGIAYYQs.bat (0 bytes)
The process %original file name%.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\FEUMUkwo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KsEEwsgg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KsEEwsgg.bat (0 bytes)
The process %original file name%.exe:2856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hwYgEoMo.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VKskgQIw.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\VKskgQIw.bat (0 bytes)
The process %original file name%.exe:1048 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UCUscwEU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MywsQIog.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UCUscwEU.bat (0 bytes)
The process %original file name%.exe:244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fkMkUQAE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bokUkwUg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bokUkwUg.bat (0 bytes)
The process %original file name%.exe:1148 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KAEgIUgs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ouAQwsMI.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KAEgIUgs.bat (0 bytes)
The process %original file name%.exe:1956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vGcQsYUs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UiMUwAEU.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UiMUwAEU.bat (0 bytes)
The process %original file name%.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ueUAkIIM.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kIYcEwUU.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kIYcEwUU.bat (0 bytes)
The process %original file name%.exe:3056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CCIUMMUc.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SgEogMEs.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SgEogMEs.bat (0 bytes)
The process %original file name%.exe:2632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hOEYYMoI.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CGUUQQkA.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CGUUQQkA.bat (0 bytes)
The process %original file name%.exe:248 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pOQwUcEI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UmwIQoYA.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pOQwUcEI.bat (0 bytes)
The process %original file name%.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wssMMIII.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PigogsQs.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\wssMMIII.bat (0 bytes)
The process %original file name%.exe:3880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\biwQEMMA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scQoUQUs.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\biwQEMMA.bat (0 bytes)
The process %original file name%.exe:1644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sOYwQYMg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RcIokMEg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RcIokMEg.bat (0 bytes)
The process %original file name%.exe:2640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vgcIgccQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cisoMAso.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vgcIgccQ.bat (0 bytes)
The process %original file name%.exe:3540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WyAwAkwk.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RykEwgAI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RykEwgAI.bat (0 bytes)
The process %original file name%.exe:3448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OasIgQgw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WqgYsgQM.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OasIgQgw.bat (0 bytes)
The process %original file name%.exe:3564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DQgAggoc.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DWUIMUcQ.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DWUIMUcQ.bat (0 bytes)
The process %original file name%.exe:3152 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dYcIEAwA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QmgUEQEk.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QmgUEQEk.bat (0 bytes)
The process %original file name%.exe:3500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\uWEgEEUs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eSoAckcE.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\uWEgEEUs.bat (0 bytes)
The process %original file name%.exe:2492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ZoAYoEEM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VoQYkgAI.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ZoAYoEEM.bat (0 bytes)
The process %original file name%.exe:1288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\BIoIUcgo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DCYcwMEg.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\BIoIUcgo.bat (0 bytes)
The process %original file name%.exe:536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sQQcogEI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\augwEksM.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\augwEksM.bat (0 bytes)
The process %original file name%.exe:2752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\wCEoYQYs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GicUsEwA.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GicUsEwA.bat (0 bytes)
The process %original file name%.exe:352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ymkkkQYY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gOwgkEYU.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ymkkkQYY.bat (0 bytes)
The process %original file name%.exe:2416 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DkowwcEY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CWkYIwcs.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CWkYIwcs.bat (0 bytes)
The process %original file name%.exe:296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YecMEgsc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PiwowYIQ.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\YecMEgsc.bat (0 bytes)
The process %original file name%.exe:2376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MEIMcsAA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KwIQkkgA.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MEIMcsAA.bat (0 bytes)
The process %original file name%.exe:2104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UOscIYQw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kGcogIcI.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kGcogIcI.bat (0 bytes)
The process %original file name%.exe:3820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\iQwIAAQg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wUgcwwgg.bat (4 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\wUgcwwgg.bat (0 bytes)
The process %original file name%.exe:2148 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SQQoooII.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WeMEoUgM.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SQQoooII.bat (0 bytes)
Registry activity
The process fGAwoYMM.exe:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 2B 22 85 AA 36 37 9A 14 FA 05 4D 47 6E 33 FA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
The process reIEcoQI.exe:1564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 68 AC FA 09 29 0A A0 5E B7 6F 4F D8 33 BB 33"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process %original file name%.exe:3904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 06 DE BA 08 41 43 4C 75 D6 F8 78 9A BE 8E 6A"
The process %original file name%.exe:2964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 0F 3E 36 69 53 8F 2A C7 20 98 DE 1D 25 1C A4"
The process %original file name%.exe:3240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 8B 88 BE B9 A5 47 BB EF 85 B7 6A 8A FC D6 F3"
The process %original file name%.exe:2988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 E6 B8 B2 1E B0 15 60 EE BC B9 21 D1 79 F3 93"
The process %original file name%.exe:2960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 DF FC CD 44 BA 58 1A 09 E7 CC B9 E3 66 62 DB"
The process %original file name%.exe:624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 1A 9B F5 46 86 F6 66 31 4C 37 CF B4 C5 93 18"
The process %original file name%.exe:312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 DA 49 0B C1 62 D3 58 7F AC 19 A4 C9 A8 15 A5"
The process %original file name%.exe:2844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 B6 B3 A3 DB A7 2B 4B B1 68 6C 4C CD DD 2F EE"
The process %original file name%.exe:2636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 EB C4 9C 2C BC 99 4A 6A 52 E3 94 D8 9B 8E D9"
The process %original file name%.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 8C D6 17 17 0F F9 F5 D3 42 86 21 54 D9 2C 3D"
The process %original file name%.exe:1920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 B2 87 7D 7C 2C 59 39 B9 E3 26 01 85 CA B8 AB"
The process %original file name%.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 AC 11 16 8C A7 EA 5D C1 AA 66 51 A0 D5 A7 BA"
The process %original file name%.exe:3824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D FE 51 E8 0B F5 B0 8B 28 94 28 AC 5F 42 28 AC"
The process %original file name%.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 14 18 26 FF 49 D9 27 F7 35 A0 74 F1 79 84 9E"
The process %original file name%.exe:2548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 04 55 71 CF 6D 20 0D A1 3B 05 80 7C E9 F2 BA"
The process %original file name%.exe:3308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 B9 A3 B0 29 15 2A 20 FC D6 25 47 6A 26 41 BD"
The process %original file name%.exe:3736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 8D AA 85 15 D0 0A DC B8 60 65 BA 55 2D 4D 1E"
The process %original file name%.exe:3164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 77 DA 07 D1 36 50 07 F6 4F 4E E1 7B 7A 1E 23"
The process %original file name%.exe:2896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 6F 9C CC 78 C8 BE 1E E9 6C F4 C6 0E 23 BA 65"
The process %original file name%.exe:2196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 89 04 BA 36 32 FF 63 AE 8F 88 6B 1D 2B 0F 2C"
The process %original file name%.exe:1208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 36 FE 77 85 AF 9F 80 30 72 59 76 43 33 86 BF"
The process %original file name%.exe:4008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 03 CD 64 B1 50 C2 FB 9B 32 6F 08 21 33 7D 0E"
The process %original file name%.exe:2344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 F7 C3 CD 69 99 B5 A5 59 28 FA 36 DA CD 8F 4F"
The process %original file name%.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 82 F5 32 CF D8 EF FB BF 44 55 30 A6 E2 80 DD"
The process %original file name%.exe:2540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 B3 53 75 7E 6C A0 20 44 CC 93 AF 59 06 2C 4C"
The process %original file name%.exe:3472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 F3 A6 7E E4 84 56 84 97 1A F4 C8 7D AC 65 A5"
The process %original file name%.exe:2544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 1B 48 C4 37 CF C9 4B A2 1B D4 B6 5C F7 3B 75"
The process %original file name%.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 7E B7 B5 43 A7 A1 CC 86 0C 6E F5 C0 C1 F7 1B"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process %original file name%.exe:3100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 DF CA 71 D8 67 96 90 82 01 EF 36 49 37 67 A5"
The process %original file name%.exe:3516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 1F A2 D0 2F C7 8C C5 3A 7D AB C4 74 F4 F7 87"
The process %original file name%.exe:3256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C BC 3E E6 E8 E3 BA E8 53 EE C0 4B F2 91 70 5E"
The process %original file name%.exe:2984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 DC B9 DF 1F B2 DB CD D3 C8 55 3E F4 AD 89 5A"
The process %original file name%.exe:656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 AC 31 34 67 1A D2 59 77 1F CF D0 62 57 21 A7"
The process %original file name%.exe:2380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 37 AB 2E 0B 40 D3 BF 3B D8 1E 07 2C FD E1 A1"
The process %original file name%.exe:2268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 63 C8 22 12 20 2B 52 80 8D 73 D1 04 C8 21 58"
The process %original file name%.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 B9 A3 18 6A 12 92 21 99 E7 00 EA 6E 84 A1 5F"
The process %original file name%.exe:1468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 33 44 B1 23 D0 78 09 71 0F 95 25 FD 9D 1B 8C"
The process %original file name%.exe:2244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 65 72 3F ED AA 22 2F 4E 32 AB F3 D6 FA F9 00"
The process %original file name%.exe:1652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 BD 7A 3A 19 FE F4 A1 88 92 4D E9 9D CF 38 F2"
The process %original file name%.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 35 7F D3 30 A3 BB F4 9D 43 5C 48 00 54 53 60"
The process %original file name%.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 0B BD 75 D3 76 A9 0F 83 5A 73 F6 48 D8 DB 43"
The process %original file name%.exe:2364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 50 DF 5B 22 ED 3C CA B6 44 7A C5 80 3A 7A 98"
The process %original file name%.exe:2076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 38 3F C0 94 38 78 4F A2 0F 66 A4 6E 75 68 2F"
The process %original file name%.exe:2264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C E3 D3 09 A1 DE 99 B8 39 B6 0C 04 67 C3 0D A0"
The process %original file name%.exe:2668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 98 30 00 CB DF 10 5B 6D 87 B7 26 60 4F BD 99"
The process %original file name%.exe:2428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 2F 10 AC B4 FE B4 BD AA C3 42 07 3D 4B 89 F6"
The process %original file name%.exe:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 A0 B7 11 78 97 BC 63 B6 47 DE A0 82 24 96 A1"
The process %original file name%.exe:3836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 A1 A1 A7 58 DD 00 B6 61 53 D9 D1 15 BF 59 E5"
The process %original file name%.exe:336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 2F 79 1B F1 1E B1 00 A3 3B 63 D4 12 CB 07 4F"
The process %original file name%.exe:2280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 70 C6 B8 4C B7 2D 34 1C B3 2D 0A AA 1C 60 C0"
The process %original file name%.exe:3596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 50 53 DF E7 65 6B 2D 96 44 8A 6C 74 4E 03 63"
The process %original file name%.exe:3608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 4C FB 70 BC AF 70 AF BE FC 2A B5 DE 32 C5 77"
The process %original file name%.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 D3 20 13 72 8E 21 AE B8 0B E3 0B BB D6 A7 D5"
The process %original file name%.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 64 BE 61 C7 64 5B 83 EF CF 25 31 32 B3 BC B7"
The process %original file name%.exe:2856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 E1 30 E4 13 C3 CA FE B3 93 73 A9 58 DB 5F A4"
The process %original file name%.exe:1048 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 D3 2A C0 FA 8C 48 3F BF 95 EE 1F A1 04 00 BA"
The process %original file name%.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D E4 33 F8 03 E7 FE 3E 32 14 C4 C4 9D 09 4E AC"
The process %original file name%.exe:1148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF FA 25 0A 05 89 52 93 5B FC 10 52 A8 A6 BA EF"
The process %original file name%.exe:1956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 C9 6C 6E 77 DF F4 99 EC C1 D5 C3 5E B3 78 33"
The process %original file name%.exe:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 67 41 30 D3 7D E0 7F 49 D5 00 9A 95 D7 B9 62"
The process %original file name%.exe:3056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 8D F9 90 6C 28 2F A6 D3 67 05 AC 11 A3 CB 4F"
The process %original file name%.exe:2632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 4A 43 8C E4 F4 C4 FE ED A5 12 56 AB E0 EC C3"
The process %original file name%.exe:248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 E1 91 CA BB 73 22 48 00 FD 37 53 00 CD D6 0A"
The process %original file name%.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D A4 AA AB 04 C9 CD 9A 88 EA CC 06 F2 FA 1B F5"
The process %original file name%.exe:3880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 52 B0 14 B1 A5 0C AF DA 28 F9 58 C5 96 92 A2"
The process %original file name%.exe:1644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 51 28 53 0A 4A 9E 20 56 65 91 D5 02 7B 7B 8D"
The process %original file name%.exe:2640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 BD CB 76 40 66 F5 9F 88 E7 7E A8 13 B5 65 CE"
The process %original file name%.exe:3540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 CC C3 FD EA 4B A0 23 EF 03 53 6F 86 DA B5 11"
The process %original file name%.exe:3448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 C7 B7 2E 4B 86 52 2A DE 6A 32 10 DD 96 96 09"
The process %original file name%.exe:3564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC EA 5E 62 96 EA 2D 8B F6 E0 0D 25 D4 56 80 AF"
The process %original file name%.exe:3152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 F1 52 38 E3 06 DE 66 E6 9C 2B 87 58 9F B0 69"
The process %original file name%.exe:3500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 57 85 58 13 79 3F 88 FB 20 86 97 26 E8 35 9F"
The process %original file name%.exe:2492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 48 BD 04 BC E5 30 4A FE 17 2F 30 2A C6 75 25"
The process %original file name%.exe:1288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 64 34 36 C7 AE D2 38 F2 1D 5F C5 3E 28 3C 66"
The process %original file name%.exe:536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 6A E3 D7 E1 B2 3B D7 D4 25 3E F3 D4 3A 01 57"
The process %original file name%.exe:2752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 48 00 44 E7 BB 3D DC C5 F1 9B C2 A9 83 41 04"
The process %original file name%.exe:352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 15 FA B0 A2 BF E8 4E 79 3A 04 FC 5E CA FE DC"
The process %original file name%.exe:2416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 89 88 90 E8 67 2C D0 CC 62 3B 78 4F 62 FB 71"
The process %original file name%.exe:296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 A3 C7 64 6A B0 66 99 FF 45 72 F9 20 F4 28 A8"
The process %original file name%.exe:2376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 6D 72 E2 4F 24 E6 48 62 20 5F 20 A4 21 32 D4"
The process %original file name%.exe:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 34 D6 8A 33 5F 65 D1 92 1B 29 8E E9 EA CC CA"
The process %original file name%.exe:3820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 02 43 15 19 E0 9B 6F 79 87 CA 27 E4 30 8A 31"
The process %original file name%.exe:2148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 3D F4 49 8A 5D 19 B8 C9 62 A2 E5 EE E4 A1 05"
The process cscript.exe:1128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 8D 71 B9 95 66 1D B3 02 C5 EC 25 97 B0 34 41"
The process cscript.exe:2616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 70 D8 D2 64 39 F2 58 06 A6 BB 01 3E 99 C3 F1"
The process cscript.exe:2736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE C2 54 17 CB C1 2D 96 88 C5 36 49 E7 30 73 FF"
The process cscript.exe:212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 A8 84 1A D4 08 D1 CB D9 4A F6 AA B2 E4 30 2F"
The process cscript.exe:3808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 80 1F 99 80 70 15 22 91 F1 40 C8 BD F7 8D 2B"
The process cscript.exe:2592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 CD 46 D6 DB DD DF 41 2F 51 F7 AF B0 63 81 DE"
The process cscript.exe:1080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 38 32 51 F3 10 E5 6E 02 72 6A 3C 3B 57 0D 99"
The process cscript.exe:1328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 9E 79 35 88 F1 4D FC 97 FD A0 4B F9 AD 7F CD"
The process cscript.exe:1260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 7F EB 15 64 E6 AB 21 94 1B 92 54 0E 80 93 73"
The process cscript.exe:3060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 35 EA 31 3F A8 23 D1 AE E1 56 9B 1C 5A 01 5F"
The process cscript.exe:3272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA F1 4A 95 F9 3D E3 01 42 DB C2 B8 D7 41 00 60"
The process cscript.exe:3256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 E1 9D AF DC 7C 88 9E 2B 2E 7A 66 E4 08 A1 60"
The process cscript.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A B0 0D 2D 34 D8 CB 9D 5A 07 9D BE C2 6A EC 53"
The process cscript.exe:2824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 C1 8B D2 6C FE E3 B7 20 97 38 FC C0 9B FF BE"
The process cscript.exe:4084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 81 77 FA C0 70 1C F7 29 AA 4C 65 56 8B 5A DD"
The process cscript.exe:1896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 85 87 E5 73 A8 0C E4 16 8E 4A AC 4B 32 5E B6"
The process cscript.exe:3208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A E5 C3 BB 20 BB CF 2A 21 3C 15 AB 68 8E 5B 51"
The process cscript.exe:2928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B E4 2B 3E 70 A7 4D 19 A4 7A B1 DE 69 5B 06 63"
The process cscript.exe:172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 C5 8D 9A BE 92 26 9E A0 E8 1A 1B B3 10 55 9F"
The process cscript.exe:2940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 91 FC 68 7E 0F 36 CD 8B C2 25 B3 AD 36 79 83"
The process cscript.exe:2344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 34 7C 61 82 75 79 E4 1C EE F4 EE B0 17 A2 5F"
The process cscript.exe:3476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 0E AE B9 55 4B EF C4 36 68 55 6F 81 FB BF 55"
The process cscript.exe:3644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 6A FC 94 4C 6A A3 33 09 26 31 C7 10 0A 22 07"
The process cscript.exe:3108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC E5 64 08 29 BC E0 6C 08 28 9C A8 D1 28 12 B1"
The process cscript.exe:2340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 72 FF 40 89 B0 C3 24 B9 7B 73 67 7C 10 48 06"
The process cscript.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 A6 5A FE 40 68 56 06 C0 07 ED 7C 8A E9 5C 58"
The process cscript.exe:2056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 75 A9 B9 CA 3F 6D 71 2D 82 17 8D 29 43 B1 8D"
The process cscript.exe:4000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 B8 84 ED 0C 4E B7 CE 49 E4 F9 1B F3 38 78 C7"
The process cscript.exe:256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D F6 4B EF 05 AA 79 5E 53 1E D9 25 6C 82 41 4C"
The process cscript.exe:2224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 57 8F BE 67 9A F3 3B 49 3C 8A 2E E0 19 63 9F"
The process cscript.exe:3796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 15 0E 66 51 3E 9F 88 B5 09 71 B8 42 85 E0 E6"
The process cscript.exe:2304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 70 2A 86 BE 49 90 15 4C 9A 26 55 61 AD 16 8D"
The process cscript.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 B3 A0 34 33 5A AD A8 CE 53 30 2A AF F4 A9 2F"
The process cscript.exe:3588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 05 5C 5E D7 9B 19 F8 1E 4D 90 F1 24 3C 69 87"
The process cscript.exe:3972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 58 5D 1A 6E 39 6D 0E 79 97 62 7B 76 2A C2 43"
The process cscript.exe:2684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 A0 DA F2 96 89 7E 98 8B 6A D1 A2 A4 FD 8B 84"
The process cscript.exe:1476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 B3 CC 51 E7 95 9E 6F 7E 79 10 1E B4 E4 A2 8D"
The process cscript.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 DF E0 B0 BE 9A CE A2 31 A3 4F 36 3B E0 04 84"
The process cscript.exe:2364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 C9 2F C9 03 94 69 6F 97 79 C9 CB F4 2C DD 16"
The process cscript.exe:3896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 51 AE 56 10 D7 CB 4C AE 5B 7E 54 A2 15 D8 A3"
The process cscript.exe:3928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 88 D2 0A 04 45 8C 0F 8E DB 58 B3 9C 5D FA FD"
The process cscript.exe:2500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 BD CA 7F 9D 29 73 49 24 AF E1 BA 6C 35 D4 37"
The process cscript.exe:2080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 1D 9E 6A FA 71 C3 C0 56 74 74 E8 8B 75 35 9F"
The process cscript.exe:2620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 36 8B 49 54 3E 7E 56 07 C5 F9 B3 64 4F EA C6"
The process cscript.exe:2456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 BD 98 31 05 1E 6F 1F F6 A7 D4 E1 EC AC 84 6D"
The process cscript.exe:2876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA A8 9C 5D 36 74 5F E0 F3 62 2C 4B 1D CC 69 08"
The process cscript.exe:4092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 1B B6 1F 55 31 6F 71 39 40 DA AF 60 23 4F FF"
The process cscript.exe:3384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 96 25 C6 5A 4C F4 2C 12 0B 71 F6 29 55 DC 76"
The process cscript.exe:2936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 6F BE DE 6C 74 5B FB B1 A8 6C 0B 64 DA 93 21"
The process cscript.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 DA 56 3B 61 EC 92 F7 26 9B 26 6A C8 6E 30 75"
The process cscript.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 0A B9 F4 66 32 39 B7 F2 86 5E 34 80 60 69 28"
The process cscript.exe:3876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 25 9E FA C0 A5 45 8E 57 0F 9B 2F 0F 71 88 E8"
The process cscript.exe:1152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 87 C8 18 AB D2 A8 18 67 00 95 17 0C 1A 9A 79"
The process cscript.exe:3708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 51 40 F7 87 1D 86 C3 E5 A7 49 26 E4 76 C3 DD"
The process cscript.exe:2484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 2D AC 0D 4D 55 3A 8F F9 A3 AF 48 35 1B 99 DC"
The process cscript.exe:1800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 1D 33 C2 DC 5D 85 D1 0C 2F 9A 3C 19 E5 52 92"
The process cscript.exe:3648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 76 4D 6F EC 1D 05 66 7E 00 30 88 B6 58 61 E8"
The process cscript.exe:3268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 58 C5 F8 A1 38 29 2E B0 F0 95 EB 66 E7 51 E9"
The process cscript.exe:2728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 C5 C3 2C CB AC BC 8E 2B 64 3A 69 E5 41 77 D8"
The process cscript.exe:3176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 13 8F 11 48 A3 B7 23 DA 21 3E 29 B8 4B A2 4D"
The process cscript.exe:3508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 6C CD 43 C5 C1 2F C1 10 62 73 35 29 A0 35 2C"
The process cscript.exe:2088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 83 CA AF 86 B9 62 A3 66 38 63 56 39 59 2B 20"
The process cscript.exe:1636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 EE F9 F0 BA 53 B7 3C 97 D9 B5 D3 E9 A0 F5 B0"
The process cscript.exe:2768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 45 B4 BB 26 D6 03 22 2A 31 96 BA 9B F0 0F 05"
The process cscript.exe:3460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 A9 22 09 78 95 74 09 70 D8 66 14 14 7D EC DE"
The process cscript.exe:3036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 F0 FF DB 72 A1 45 4F 94 AD A4 82 B9 6A F3 76"
The process cscript.exe:2232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 21 BF 93 EE C4 51 29 C8 25 90 17 D5 1C 05 46"
The process cscript.exe:4072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 37 06 05 BE 7E 37 61 62 9B 75 38 14 9B 53 DD"
The process cscript.exe:2108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD AE 5E CE 32 9F 6A 68 FF 7D FE 0D 75 DB 8A 7C"
The process cscript.exe:3988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 AF 0F 29 76 45 03 11 80 2F 7D A6 A8 5D CF C9"
The process cscript.exe:532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 54 A1 B9 DA EF 1B 20 64 17 AD AD C4 47 76 9C"
The process cscript.exe:412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 D4 B4 32 14 A2 AB CF 5F 3C 27 61 C9 77 C0 FD"
The process cscript.exe:3164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 3A A2 33 94 90 26 C6 FD A0 D6 2A 23 14 30 64"
The process cscript.exe:2164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F DC 97 3A 59 4C 8C A2 C8 22 A8 A0 4C 48 1A E6"
The process cscript.exe:2376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 E5 8E 36 75 19 68 C4 6F A4 81 B1 03 A1 C0 7A"
The process cscript.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 84 76 F5 A5 7C 87 E8 2D 3A 8A 2A 1C 52 30 34"
The process cscript.exe:2536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 8E 7A 51 4D B8 A4 8B 2B CD 81 4E EA 12 49 75"
The process cscript.exe:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 A7 B9 7D AB 99 32 BA D4 CE A2 5B 03 88 3D 61"
The process cscript.exe:3484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 EA 82 62 42 F5 43 C0 37 5A 30 FC 60 91 99 0B"
The process NesIMIQs.exe:900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 4A E3 D4 37 0F E7 5C 77 C9 3E 01 E8 8E 9A 19"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| eeccdd01230bb37eb0c767e49b11ed7c | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe |
| f45e1294419b8aca97b657cee037c610 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe |
| 27cb1a980975cb948595cc3e70c1f6f3 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe |
| 43222b87ac768b77407d383d36f51fba | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe |
| 9ad261edfb75f9a810e61c3180e5e709 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe |
| a78954af15f664ca286860857c200e82 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe |
| 546c6a60505dd4da655381faec2ff3b4 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe |
| c9cb495916cc35ccba73b57e977e6106 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe |
| 2326a9045d2a571bd30e0b6d1c0567e5 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe |
| b9c654d06ee4d2d91cb544ca10b1da2d | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe |
| 5211c1df56f896fa4059e35fabbe50e0 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe |
| 05163c31513e3a5e6c40265659c32078 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe |
| b11512faf60df7fd92b903cc7d949db6 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe |
| 4c43cc2353c9d65b36a0bea73810652e | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe |
| 468c28c82bb2c1a32f57e2d5915165fc | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe |
| 5a8949789b138d4c6396895a27dcef33 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe |
| 54f876f02fcba682260e37346101508f | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe |
| a3f01934ad24569893ff116325808a99 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe |
| 2c5a1793a44f5fae088cc673b5758914 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe |
| fea0ef930d2c6b8efac142949cbe5076 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe |
| 8446d5cf640280b0253d4416458e5764 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe |
| 400c84dfc2b0f3f140dda0daf7401254 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe |
| 601a3ca8f792e3227ab860e5f7fcabcc | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe |
| cf4db8b7ab08bb268496151362a26529 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe |
| 70e78ee75b7a81127c8954a156554f23 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe |
| 5d954620997e9eda1aa91bb0d1659a98 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe |
| 2568b29bb41233c87312a09a93b56ab1 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe |
| 33fec18ec898a05aecaafa3825abfcd6 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe |
| aa9df7905a156fb5a15a9c453725196c | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe |
| 1e48331864afbd7ed9e35617d1571a91 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe |
| eb89aab0340b2bc6e2c96afc333f9f41 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe |
| 1ecfbdd42f2009471811f9bfd0ddf657 | c:\Documents and Settings\All Users\JuwEIgUE\reIEcoQI.exe |
| 786abe895e32bff3206fc15698151f80 | c:\Documents and Settings\All Users\hcYYccwo\NesIMIQs.exe |
| eb9fec1a65621a45978e0f5f172167b6 | c:\Documents and Settings\"%CurrentUserName%"\dUskcAww\fGAwoYMM.exe |
| e54fd1dcd7f657b3c5edc570f151c382 | c:\Perl\eg\IEExamples\ie_animated.gif.exe |
| 5aeedfd51ced011d2ba6c8e93cd89c49 | c:\Perl\eg\IEExamples\psbwlogo.gif.exe |
| fa6af787f7addb954ae8f167a4f79916 | c:\Perl\eg\aspSamples\ASbanner.gif.exe |
| d408f1ff4aa54fef102e2368c99dfc6e | c:\Perl\eg\aspSamples\Main_Banner.gif.exe |
| ffe3873e4c367ac936604652fd84d5a5 | c:\Perl\eg\aspSamples\psbwlogo.gif.exe |
| 61945569b1af44254b4c4ffb90c27b08 | c:\Perl\html\images\AS_logo.gif.exe |
| 323a4b5698a76b3b3bfc398867b59ecc | c:\Perl\html\images\PerlCritic_run.png.exe |
| 19fbb60cc60f2fcd49532081feff9023 | c:\Perl\html\images\aslogo.gif.exe |
| 716b8fa94d80975db6e77cc9b0f33b2e | c:\Perl\html\images\ppm_gui.png.exe |
| a5b1fd4797355326a375957cf0a1d98e | c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe |
| d9e2ef0365a2e8862817ae1af2cb3cbb | c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe |
| 15b5cc40fe0cb8da4be6161d215a3eba | c:\Perl\lib\Devel\NYTProf\js\asc.png.exe |
| 0fe6df2b10827e61640228e4faf34a33 | c:\Perl\lib\Devel\NYTProf\js\bg.png.exe |
| f58a1275e557dee25670cb594f2d3bf6 | c:\Perl\lib\Devel\NYTProf\js\desc.png.exe |
| ac0ab35545eb2265f9fb5381436613f8 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe |
| 8f0519631bf264b4b89079575b9ad2cf | c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe |
| b3e83b111c239e5cbe7090cb26d732c4 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe |
| 973654b0ae285574229ade28e3663fca | c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe |
| 4fff02f461eeccc2940944df33709e11 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe |
| 89a004d018873b5f88b5b5bf5e26a411 | c:\Perl\lib\Mozilla\CA\cacert.pem.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 999424 | 997888 | 5.46673 | ddf341ad5436083a140693c4bfb6d1b1 |
| .rdata | 1003520 | 4096 | 512 | 2.15669 | 1a86df73d098662b934f073051938761 |
| .data | 1007616 | 3 | 512 | 0.042395 | ec85800a7052112f06e6ebca770ecfe3 |
| .rsrc | 1011712 | 1372 | 1536 | 2.36098 | 72c06d53c4b76b025d7bc6f23723f2cd |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3904
%original file name%.exe:2964
%original file name%.exe:3240
%original file name%.exe:2988
%original file name%.exe:2960
%original file name%.exe:624
%original file name%.exe:312
%original file name%.exe:2844
%original file name%.exe:2636
%original file name%.exe:332
%original file name%.exe:1920
%original file name%.exe:3380
%original file name%.exe:3824
%original file name%.exe:1924
%original file name%.exe:2548
%original file name%.exe:3308
%original file name%.exe:3736
%original file name%.exe:3164
%original file name%.exe:2896
%original file name%.exe:2196
%original file name%.exe:1208
%original file name%.exe:4008
%original file name%.exe:2344
%original file name%.exe:1908
%original file name%.exe:2540
%original file name%.exe:3472
%original file name%.exe:2544
%original file name%.exe:668
%original file name%.exe:3100
%original file name%.exe:3516
%original file name%.exe:3256
%original file name%.exe:2984
%original file name%.exe:656
%original file name%.exe:2380
%original file name%.exe:2268
%original file name%.exe:652
%original file name%.exe:1468
%original file name%.exe:2244
%original file name%.exe:1652
%original file name%.exe:2748
%original file name%.exe:1676
%original file name%.exe:2364
%original file name%.exe:2076
%original file name%.exe:2264
%original file name%.exe:2668
%original file name%.exe:2428
%original file name%.exe:3664
%original file name%.exe:3836
%original file name%.exe:336
%original file name%.exe:2280
%original file name%.exe:3596
%original file name%.exe:3608
%original file name%.exe:304
%original file name%.exe:1932
%original file name%.exe:2856
%original file name%.exe:1048
%original file name%.exe:244
%original file name%.exe:1148
%original file name%.exe:1956
%original file name%.exe:3404
%original file name%.exe:3056
%original file name%.exe:2632
%original file name%.exe:248
%original file name%.exe:644
%original file name%.exe:3880
%original file name%.exe:1644
%original file name%.exe:2640
%original file name%.exe:3540
%original file name%.exe:3448
%original file name%.exe:3564
%original file name%.exe:3152
%original file name%.exe:3500
%original file name%.exe:2492
%original file name%.exe:1288
%original file name%.exe:536
%original file name%.exe:2752
%original file name%.exe:352
%original file name%.exe:2416
%original file name%.exe:296
%original file name%.exe:2376
%original file name%.exe:2104
%original file name%.exe:3820
%original file name%.exe:2148
cscript.exe:1128
cscript.exe:2616
cscript.exe:2736
cscript.exe:212
cscript.exe:3808
cscript.exe:2592
cscript.exe:1080
cscript.exe:1328
cscript.exe:1260
cscript.exe:3060
cscript.exe:3272
cscript.exe:3256
cscript.exe:1908
cscript.exe:2824
cscript.exe:4084
cscript.exe:1896
cscript.exe:3208
cscript.exe:2928
cscript.exe:172
cscript.exe:2940
cscript.exe:2344
cscript.exe:3476
cscript.exe:3644
cscript.exe:3108
cscript.exe:2340
cscript.exe:3380
cscript.exe:2056
cscript.exe:4000
cscript.exe:256
cscript.exe:2224
cscript.exe:3796
cscript.exe:2304
cscript.exe:1944
cscript.exe:3588
cscript.exe:3972
cscript.exe:2684
cscript.exe:1476
cscript.exe:1676
cscript.exe:2364
cscript.exe:3896
cscript.exe:3928
cscript.exe:2500
cscript.exe:2080
cscript.exe:2620
cscript.exe:2456
cscript.exe:2876
cscript.exe:4092
cscript.exe:3384
cscript.exe:2936
cscript.exe:1336
cscript.exe:1796
cscript.exe:3876
cscript.exe:1152
cscript.exe:3708
cscript.exe:2484
cscript.exe:1800
cscript.exe:3648
cscript.exe:3268
cscript.exe:2728
cscript.exe:3176
cscript.exe:3508
cscript.exe:2088
cscript.exe:1636
cscript.exe:2768
cscript.exe:3460
cscript.exe:3036
cscript.exe:2232
cscript.exe:4072
cscript.exe:2108
cscript.exe:3988
cscript.exe:532
cscript.exe:412
cscript.exe:3164
cscript.exe:2164
cscript.exe:2376
cscript.exe:1664
cscript.exe:2536
cscript.exe:1724
cscript.exe:3484 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FSsoUwUA.bat (112 bytes)
C:\34806dcbe3e1df48f5f62f8b3380c55d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NKUsAggo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sqUYgcIw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MwIgkQQc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UsccogcU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EQoEIgAQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SSMUEIMI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HsQwsAIc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UGEUMkUs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BmYkcQcU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EacgAIMA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zoEYUowg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TeYMMwgg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iMAosYIA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iekMYAQE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\teIYoYkw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pqQoMYQY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lAYkoYUk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JYcswMAs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rEkkgMco.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zIkEkAEo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GWAkMokI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qWYkIYQY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NiAoUoEY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sKsEcQYA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\poEYUIog.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MWoEUQkw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pyockIUk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LScEAAsQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ROgYkAos.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NCsgwkAk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JmoYIEsE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YaUckQUE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JoYkUoEg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OikgMAcs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JyUUIgso.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tYkMoAAU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jmEgossI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VYoMIwMs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fUAcIksw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FgEgMcoc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xCsEYgMw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ouMwkoYQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hMosAsEE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mkwkIMww.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nUEsoQcg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QugQUcIQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WucEIMQw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\guUYEkgE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NiwAgQQA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nKYEIggg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WWIMcwcw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VOIcsosY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DWEcEMUA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rUQIIYAg.bat (4 bytes)
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7713 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7737 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7785 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jeUsEoUo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BgIMAcgc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gQIcYQgQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MkcMssAw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QewMskQY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OOUskAkg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nAIcYsAg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vUcIUogc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NMAwkAgw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kkUMIscQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EQMIoMsE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UkUkwAIY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ROQkoogU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iwsgAQIo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mUUgwAwk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TysUUcgY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JOcYQMIs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LuoQQIAU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oGYMYYcQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cUMsUwIA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgUgYsEc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\geoUMAUo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pqwMcMYM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cIAkgEEU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xIogkMoQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hewcUUYk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hkogIkAE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ickwgEcw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uWMUYYAY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mGwkYgIM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bGYokksA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xOIUQcMI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dGAwYkII.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\swoYwcIw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dQwIEAcg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MAsMMkwo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SQAIIgcI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\COIQksIo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pqUoEoIU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZUMYsokk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CmEgIcQU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmEEAkwM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CWkcQsww.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OsEgYkcg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JgAQgYck.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EywYsooQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ASQIIgEE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kQUAgocA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QOIYowkA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rUcQkwIk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hGIAYYQs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FEUMUkwo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KsEEwsgg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hwYgEoMo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VKskgQIw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UCUscwEU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MywsQIog.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fkMkUQAE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bokUkwUg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KAEgIUgs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ouAQwsMI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vGcQsYUs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UiMUwAEU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ueUAkIIM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kIYcEwUU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCIUMMUc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SgEogMEs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hOEYYMoI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CGUUQQkA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pOQwUcEI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UmwIQoYA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wssMMIII.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PigogsQs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\biwQEMMA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scQoUQUs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sOYwQYMg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RcIokMEg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vgcIgccQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cisoMAso.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WyAwAkwk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RykEwgAI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OasIgQgw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WqgYsgQM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DQgAggoc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DWUIMUcQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dYcIEAwA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QmgUEQEk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uWEgEEUs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eSoAckcE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZoAYoEEM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VoQYkgAI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BIoIUcgo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DCYcwMEg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sQQcogEI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\augwEksM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wCEoYQYs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GicUsEwA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ymkkkQYY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gOwgkEYU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DkowwcEY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CWkYIwcs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YecMEgsc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PiwowYIQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MEIMcsAA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KwIQkkgA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UOscIYQw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kGcogIcI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iQwIAAQg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wUgcwwgg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SQQoooII.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WeMEoUgM.bat (112 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe," - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
