Gen.Variant.Kazy.535449_09c7c108fa

by malwarelabrobot on March 5th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.535449 (B) (Emsisoft), Gen:Variant.Kazy.535449 (AdAware), ZeroAccess.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 09c7c108fa1cfa6052d4b24310e3b608
SHA1: 4b6c7cf68cf29ba9977d5ae25bed33835b43e18c
SHA256: 357d4755f12e087e7053c0b31e9c5e39392fd3902a54405afa618a44418bc7fb
SSDeep: 12288:bkISKzR00dmbY/Qi2SiMhdP7G32X9mt0PxdJgtFRmR:bzxN09YYitiMhdTst0PxdJg3IR
Size: 500736 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-06 02:36:08
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1164
%original file name%.exe:308
%original file name%.exe:1268
%original file name%.exe:1160
%original file name%.exe:1144
%original file name%.exe:884
%original file name%.exe:1168
%original file name%.exe:608
%original file name%.exe:1924
%original file name%.exe:1928
%original file name%.exe:596
%original file name%.exe:344
%original file name%.exe:1948
%original file name%.exe:1836
%original file name%.exe:1232
%original file name%.exe:1772
%original file name%.exe:1852
%original file name%.exe:668
%original file name%.exe:956
%original file name%.exe:1568
%original file name%.exe:1500
%original file name%.exe:1372
%original file name%.exe:508
%original file name%.exe:1376
%original file name%.exe:916
%original file name%.exe:348
%original file name%.exe:1012
%original file name%.exe:2012
%original file name%.exe:568
%original file name%.exe:1092
%original file name%.exe:772
%original file name%.exe:616
%original file name%.exe:1136
%original file name%.exe:588
%original file name%.exe:316
%original file name%.exe:168
%original file name%.exe:240
%original file name%.exe:228
%original file name%.exe:1968
%original file name%.exe:248
%original file name%.exe:1640
%original file name%.exe:908
%original file name%.exe:1456
%original file name%.exe:828
%original file name%.exe:648
%original file name%.exe:820
%original file name%.exe:1368
cscript.exe:1128
cscript.exe:216
cscript.exe:1144
cscript.exe:1952
cscript.exe:1124
cscript.exe:316
cscript.exe:1920
cscript.exe:1924
cscript.exe:1548
cscript.exe:1832
cscript.exe:1968
cscript.exe:1772
cscript.exe:1852
cscript.exe:1944
cscript.exe:1568
cscript.exe:320
cscript.exe:188
cscript.exe:916
cscript.exe:348
cscript.exe:408
cscript.exe:308
cscript.exe:448
cscript.exe:1360
cscript.exe:1132
cscript.exe:564
cscript.exe:1796
cscript.exe:1956
cscript.exe:1888
cscript.exe:1912
cscript.exe:1016
cscript.exe:1880
cscript.exe:860
cscript.exe:908
cscript.exe:1768
cscript.exe:808
cscript.exe:1100
cscript.exe:648
cscript.exe:1760
cscript.exe:1740
cscript.exe:1368
cscript.exe:516

The Trojan injects its code into the following process(es):

fGAwoYMM.exe:1752
reIEcoQI.exe:1364
NesIMIQs.exe:644

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process fGAwoYMM.exe:1752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7971 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (3073 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (3073 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (31071 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (3073 bytes)
C:\totalcmd\TCUNINST.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (4185 bytes)
C:\totalcmd\TcUsbRun.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5873 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (3073 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)

The process %original file name%.exe:1164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\liIkUwcA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kmkkEcoc.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ikUMYwwA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LMoEkcUA.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\liIkUwcA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ikUMYwwA.bat (0 bytes)

The process %original file name%.exe:308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eaYEsYkU.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RWEkQAwE.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RWEkQAwE.bat (0 bytes)

The process %original file name%.exe:1268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sewEIoMs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RukAsUwQ.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sewEIoMs.bat (0 bytes)

The process %original file name%.exe:1160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hYcIkoEU.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pUEMIcYk.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hYcIkoEU.bat (0 bytes)

The process %original file name%.exe:1144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MIgcEkcI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bIIsAMoA.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bIIsAMoA.bat (0 bytes)

The process %original file name%.exe:884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ysQMcIAE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\niwIAAYo.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ysQMcIAE.bat (0 bytes)

The process %original file name%.exe:1168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yMwYMUkE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CskoIEgo.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yMwYMUkE.bat (0 bytes)

The process %original file name%.exe:608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KUYQQQcI.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LcAQkgYw.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LcAQkgYw.bat (0 bytes)

The process %original file name%.exe:1924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oMsAUgMA.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\emoIUMEI.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\emoIUMEI.bat (0 bytes)

The process %original file name%.exe:1928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YOYwwkEE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XMgUUwoc.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YOYwwkEE.bat (0 bytes)

The process %original file name%.exe:596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\acgscQIg.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RswoYwUg.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\acgscQIg.bat (0 bytes)

The process %original file name%.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OSQYAkIc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vuMcswUE.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OSQYAkIc.bat (0 bytes)

The process %original file name%.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AMcUwIUw.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vywgEQsE.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vywgEQsE.bat (0 bytes)

The process %original file name%.exe:1836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oswMkgcc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GOIYgskU.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oswMkgcc.bat (0 bytes)

The process %original file name%.exe:1232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mkoYEMYk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IaQQYAUw.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mkoYEMYk.bat (0 bytes)

The process %original file name%.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EsQwwYsw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QckMUQkM.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EsQwwYsw.bat (0 bytes)

The process %original file name%.exe:1852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WecIYIwo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vmwwIsAo.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vmwwIsAo.bat (0 bytes)

The process %original file name%.exe:668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pCMossQI.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fSggkEUs.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fSggkEUs.bat (0 bytes)

The process %original file name%.exe:956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FYwcMAYw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CWQsowMU.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FYwcMAYw.bat (0 bytes)

The process %original file name%.exe:1568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LOIQcQos.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RkcIcoME.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RkcIcoME.bat (0 bytes)

The process %original file name%.exe:1500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NYcUMYso.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hqcMkAoI.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hqcMkAoI.bat (0 bytes)

The process %original file name%.exe:1372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YmcggMcs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lEkAsoEM.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YmcggMcs.bat (0 bytes)

The process %original file name%.exe:508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WIMIAIcI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DCUkUIcQ.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DCUkUIcQ.bat (0 bytes)

The process %original file name%.exe:1376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mmsoYwgk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\seMIkoEU.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mmsoYwgk.bat (0 bytes)

The process %original file name%.exe:916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qWIkYoIc.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TwQcoEsA.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TwQcoEsA.bat (0 bytes)

The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MIsEAoUI.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qecEEccM.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qecEEccM.bat (0 bytes)

The process %original file name%.exe:1012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pQUgccow.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MmcMUMsM.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pQUgccow.bat (0 bytes)

The process %original file name%.exe:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UGIEQsgM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ouQosYYw.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UGIEQsgM.bat (0 bytes)

The process %original file name%.exe:568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xMkwEIoY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SOIUEAAs.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xMkwEIoY.bat (0 bytes)

The process %original file name%.exe:1092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LGEQcoUY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YYMQssoU.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LGEQcoUY.bat (0 bytes)

The process %original file name%.exe:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OMsoQMwc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fwsYQMAw.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OMsoQMwc.bat (0 bytes)

The process %original file name%.exe:616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uuYIkMUw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FucYMoAY.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FucYMoAY.bat (0 bytes)

The process %original file name%.exe:1136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eYUgMogY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zWwoocAE.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eYUgMogY.bat (0 bytes)

The process %original file name%.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GCQYUIsk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MoEwQUsQ.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GCQYUIsk.bat (0 bytes)

The process %original file name%.exe:316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZacsIQsg.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DScQwgEE.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DScQwgEE.bat (0 bytes)

The process %original file name%.exe:168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YywcYwos.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pawsAQQM.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pawsAQQM.bat (0 bytes)

The process %original file name%.exe:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EuQgUggc.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZSkQAwwo.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZSkQAwwo.bat (0 bytes)

The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3201 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (3249 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (4057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UOooMgIo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dQskgIMs.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dQskgIMs.bat (0 bytes)

The process %original file name%.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CkgIsUQA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hosIAkIA.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CkgIsUQA.bat (0 bytes)

The process %original file name%.exe:248 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jyYEcYIQ.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cMcEMgUY.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cMcEMgUY.bat (0 bytes)

The process %original file name%.exe:1640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IccEIUgI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sekQscYo.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IccEIUgI.bat (0 bytes)

The process %original file name%.exe:908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oEsUUcgM.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LMgIIccc.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oEsUUcgM.bat (0 bytes)

The process %original file name%.exe:1456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OmAokUso.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZcYEsgkU.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OmAokUso.bat (0 bytes)

The process %original file name%.exe:828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TyQskEkI.bat (4 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xoQYsgAY.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TyQskEkI.bat (0 bytes)

The process %original file name%.exe:648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yeIUUUYo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NssooooA.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yeIUUUYo.bat (0 bytes)

The process %original file name%.exe:820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IYMAIkQw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UKAcYYQg.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IYMAIkQw.bat (0 bytes)

The process %original file name%.exe:1368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wMgMMAIg.bat (112 bytes)
C:\09c7c108fa1cfa6052d4b24310e3b608 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pUcAEwIQ.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pUcAEwIQ.bat (0 bytes)

Registry activity

The process fGAwoYMM.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE F0 7A D2 63 33 90 CD 54 03 71 49 78 16 F9 DC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The process reIEcoQI.exe:1364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 FF 72 FF 16 56 67 F4 A7 F5 E6 76 A8 44 5B C4"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process %original file name%.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 08 CA 94 AF 37 06 A0 67 97 CC 87 E4 C5 A4 50"

The process %original file name%.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 13 B0 62 A3 71 4B FF 58 FB 53 81 01 01 B6 10"

The process %original file name%.exe:1268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 8D E7 7D 26 BB A3 A8 76 C6 71 FC 38 E2 EA A6"

The process %original file name%.exe:1160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 66 AE F7 78 4A DC BA 2B 7F EA 9E 9C 2D D2 7B"

The process %original file name%.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 FF CE E1 32 20 92 96 2A 94 99 35 05 37 D1 44"

The process %original file name%.exe:884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 28 94 62 67 78 12 47 E6 17 CB 93 9E 8D EA 4A"

The process %original file name%.exe:1168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 12 CC 8B 2F 23 90 9E 0D 2E D6 0B 9E 2B 35 C0"

The process %original file name%.exe:608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 F4 57 AA 8D CB 90 1A 44 85 F8 F8 42 14 AE 52"

The process %original file name%.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 32 E7 25 2E 3A 6F DA AD C7 7B A9 AE DE BF C7"

The process %original file name%.exe:1928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 95 7C 4F 9B 1D 56 8F 62 94 13 0C A0 CC BA DC"

The process %original file name%.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC A3 88 77 66 62 B7 AF D4 4B 2A 2A 21 8E 75 7B"

The process %original file name%.exe:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 31 CD 15 96 D8 2C E8 D9 83 3B 3F 2F 09 DF CD"

The process %original file name%.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 3F 2B 56 7B EA 9C 11 F1 FA 41 1C 1F 11 B7 02"

The process %original file name%.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B E9 1D 13 D0 D8 71 3B 7A 37 D4 FA E7 DD CA 61"

The process %original file name%.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 AC E4 E0 66 DF 4E 2F C3 56 9A E4 72 29 6C 5D"

The process %original file name%.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 7B 37 B2 B7 54 4E B5 B7 81 A1 6A C7 A9 25 17"

The process %original file name%.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 0C 4B F4 65 1F C7 12 2C F0 D9 86 75 0F 71 99"

The process %original file name%.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 5F AC 64 A5 54 A7 04 1F 58 DB A0 D0 02 5C FF"

The process %original file name%.exe:956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF B1 21 6C 6B 33 DB B6 E8 42 C3 3C 53 B6 E2 4D"

The process %original file name%.exe:1568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 98 8C 4E AB E7 59 3E 12 F2 1F 5C F8 2A DD 4D"

The process %original file name%.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 CE 8B 78 20 01 48 BE 2B 1E 26 3B AE 15 2D 53"

The process %original file name%.exe:1372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 6C 58 F5 CE CB 40 B6 AA E8 67 1E 28 9F 7C E2"

The process %original file name%.exe:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 0A 2D F4 43 8B 76 1C 3B 59 BC 00 E2 52 0F 07"

The process %original file name%.exe:1376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 3B E2 FD 03 31 CC 0E D6 0B F8 6B 25 12 56 39"

The process %original file name%.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA C1 E5 44 6B 15 50 B7 59 AF 19 70 85 FF 8C CA"

The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 76 0B FA BE 18 B3 F7 35 3F 33 DE 5D 18 33 E2"

The process %original file name%.exe:1012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 67 B3 FB 42 F3 2A 55 CD 6A 6B CA 1C EF 9E EC"

The process %original file name%.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 4B 85 60 CC 1B C6 E5 43 29 9F 47 B4 E8 02 A5"

The process %original file name%.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B F9 6B 86 CD 13 5E 18 A2 5E F0 0C 25 29 2E 50"

The process %original file name%.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 40 AF 25 FE 17 AE 71 A0 16 EF 93 DB 30 A5 D5"

The process %original file name%.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 9B 2B 46 16 4E 1A 5A 62 E9 62 1C 09 C0 F5 3E"

The process %original file name%.exe:616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 C6 E6 97 86 01 45 B2 4E A0 3D 29 16 CD EE 09"

The process %original file name%.exe:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 0F 9D 62 16 AC 78 54 69 9B CC 2A 89 B2 1B 66"

The process %original file name%.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 42 84 D6 0E 7A 3C 3B AA 70 88 06 17 63 D2 1C"

The process %original file name%.exe:316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 6D 99 E8 0A 39 91 FB 24 66 F7 7D 81 58 8B 37"

The process %original file name%.exe:168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 7F 5B 51 A1 4F 59 DF A0 45 F3 17 C3 E1 73 AB"

The process %original file name%.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 39 84 9D C4 D1 FC 2C 57 4B 60 D4 B4 CD AA 34"

The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 69 7B 6F 44 F6 B5 2B 9F 2A F7 7D 20 62 56 A7"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process %original file name%.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 C9 7C EF E6 F1 9F 4C 09 48 A8 02 A1 CA 01 45"

The process %original file name%.exe:248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 DB C8 53 A0 1D B3 77 89 CB 29 B0 6D 17 58 B7"

The process %original file name%.exe:1640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 D1 B2 AC 23 BE D9 A1 33 46 3C 3F F6 C8 64 7F"

The process %original file name%.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 5C 63 52 AB CB 49 C1 7C 1E 9D FA 8E C4 03 FE"

The process %original file name%.exe:1456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 E8 29 F7 90 E0 9F BF 98 07 21 8F 82 F9 C6 12"

The process %original file name%.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 F3 2A 70 16 AB 31 5A 0F A0 2F 69 4D 03 EE 16"

The process %original file name%.exe:648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B E5 BE 32 B5 D6 2A 1F 99 59 FE DF 6C 32 7D A9"

The process %original file name%.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 A8 64 44 C9 DC FC 4F 7D 38 9E 9F 82 9D 08 A5"

The process %original file name%.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 9F 2B 82 A8 A2 B4 15 01 9C A4 45 07 37 69 4C"

The process cscript.exe:1128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 0A 36 7C EB B2 83 EA E3 5C 54 43 91 58 B4 6E"

The process cscript.exe:216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 64 0D 42 30 1A 99 72 2D 2A EF 7C 12 A5 AA F2"

The process cscript.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 81 4D 23 46 D3 39 AF 9C 23 E1 71 15 A7 54 B5"

The process cscript.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 E3 D7 D0 93 8E 5A 20 EF 51 99 80 3B 30 47 6F"

The process cscript.exe:1124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 B2 8E 63 8B 85 57 74 72 5A 36 90 F8 49 30 C9"

The process cscript.exe:316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 32 8C 8C 38 F6 AC E3 10 2D 30 BE C6 38 86 73"

The process cscript.exe:1920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 E9 DE 5A 3B E7 D6 5D 75 CB 94 D9 6F 46 56 18"

The process cscript.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 31 B5 71 7A 19 F2 E8 5E 22 CF C2 A5 51 50 EE"

The process cscript.exe:1548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 B3 31 55 01 1B 73 41 0A 5E BA 2A 32 6D 96 41"

The process cscript.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 B9 66 6C DD 84 DD 96 F7 22 08 C7 E9 05 A6 E5"

The process cscript.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 3F EA 08 E6 BD C6 B0 43 1F 5D 2F 34 47 03 B1"

The process cscript.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 18 10 2A C7 A8 24 A1 75 B8 4A D5 90 DB 2E 3A"

The process cscript.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 33 E5 26 07 6D E0 EB CD 60 B8 E7 C8 5C CC 98"

The process cscript.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 2A 9D EB D7 82 1E 8D 2F 76 EA 69 79 76 A7 3A"

The process cscript.exe:1568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 01 F8 63 EA 11 A6 F3 1F CA 72 26 A2 59 4F 22"

The process cscript.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 1A EE 5B 96 A0 6D 57 4F 97 38 76 F3 22 9D F0"

The process cscript.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 98 20 DC E4 09 2D 5C 98 4E B7 1B 8B BB 20 F3"

The process cscript.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE A3 F8 0E 0A C5 15 FC C1 27 D7 A0 73 71 2C 2A"

The process cscript.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 93 AF 60 B0 06 4D DA BB 37 DE 73 6F 5E 3A 4F"

The process cscript.exe:408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 B0 36 6A 31 77 6C 1E 6F 25 C0 A0 C5 EE DC 87"

The process cscript.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 0A 51 96 7D 69 4A 0C 3D 92 FB B7 57 2A 46 00"

The process cscript.exe:448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 C0 AC 78 C5 8D 04 32 34 0F C5 04 FF 11 6D F7"

The process cscript.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 A2 F1 A2 4D 81 BD CA E7 52 8D 0C D7 C6 50 B2"

The process cscript.exe:1132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 6F B3 91 5B E4 BD 2A 52 69 42 F8 CB 51 32 9B"

The process cscript.exe:564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 CD 57 19 B9 EE 25 DC 69 22 73 EA B4 B6 91 80"

The process cscript.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 69 DD 37 F1 52 19 46 A0 55 AE CA FB 7B 46 E6"

The process cscript.exe:1956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC DD 4D C4 0F FD 75 B3 83 96 43 6B DF 7B 88 89"

The process cscript.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 8F 5A 02 B9 E3 E9 72 38 BB B9 C4 1C FC 37 11"

The process cscript.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 57 63 03 52 38 19 F6 1F 63 6F 4F 9B C5 D9 0A"

The process cscript.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 84 AB D5 B1 FB 6A 27 F3 E8 48 8C 2D 8C B5 86"

The process cscript.exe:1880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 2C 0C 49 61 BC F5 AA 02 C6 82 41 7D A6 BB CD"

The process cscript.exe:860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 B7 2E 8C 79 63 07 60 34 58 5B 7E FE 5F FA C9"

The process cscript.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 74 6E B0 4A D2 E3 F7 2C DB 94 21 BF B6 06 AF"

The process cscript.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 92 A4 85 C5 A7 6C CF 82 67 4C D0 07 E7 79 62"

The process cscript.exe:808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 65 A9 99 A4 0C 69 C2 67 72 75 F9 26 E1 58 77"

The process cscript.exe:1100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 34 45 D4 26 6D A1 FD E3 F3 80 AD A6 58 0B 5B"

The process cscript.exe:648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD B0 5E 38 2E B2 38 3A 6F 87 4A A1 C2 5A 25 01"

The process cscript.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F CC A0 2C D7 16 5A B5 1E B6 47 1C 7E B7 C4 A0"

The process cscript.exe:1740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 B7 35 DE 7C 77 B9 27 BE 19 77 AF 61 0F 1C 77"

The process cscript.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 00 E0 6A 62 52 07 7C 0F A5 F0 B3 55 05 55 27"

The process cscript.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 27 30 AD F7 D8 3E 50 78 C8 3F 24 72 2A AD 7A"

The process NesIMIQs.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC FC 64 5A A3 C7 1D 64 95 59 59 F3 81 80 B0 71"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

Dropped PE files

MD5 File path
de6ae9efebe48d81081a9136ea293554 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
0d9098cbdc998612d4942fbf07e468c3 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
da498fb064020ffb3dfab4539da2f49e c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
06ff0b1b98710d70d8076c9ecc771c0d c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
bdf3bc37b7ed653979feb2c37ff9c14d c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
cfa83ef443d0a25de43a3ece1e5bdfe2 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
bbe4dcb30ad27a15a81f68fde9f80aff c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
21f3fa92a00c33264b41a7f76e46b0d2 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
58f264b8c01aa0cdcb1b09b5e364c196 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
c0d39ce770b3ee479c5d150e12bdfe3f c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
2144a336601f535501dd8330b5702c92 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
b941f53247e0fb8996112fe8d36a1f2e c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
8ab3a96024e2a0825cc26dd772bfd2d6 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
921544376045d09dda7024c3b0e22ecb c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
ebf30d2713a77dedcdaa3a2b157e6c59 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
91c9fd72f200358e7b890bf20cd0f935 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
75ea88186f9013b6dead7a2a17c0392c c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
4f6e0ee52c3595667eba5e903bf89fdd c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
fff6b7da8f5894dca2444896cbb4430f c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
0535c53391d32f82431cb6781391a294 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
d68c42ec683835d092fa212b98c9b984 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
c392c0242307cd1cff820af833f96c32 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
0b7e0938fdfa93e1c1a6d3b2cd544ea5 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
b698b6317584bd31973dabd1099b4164 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe
d88d26a4c5698338717d9578ee4f2730 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
91019daae0d0ec89d1ad89c6a1d06cab c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
e42b1044aa684baf4dc33ae8d940704d c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
9d2bf09d1cf8021f72b3a69f2c2407ca c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
ea2cbad49bc221d033991f257807d967 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
c570334b5759ebc0ef34b866f541f8d6 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
1b915eed0cc589956516e15ff43e0fe9 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
29863128aebe404ecfeee763673ebe82 c:\Perl\eg\IEExamples\ie_animated.gif.exe
7a900cc83bdb6a1956cf7161b61ab978 c:\Perl\eg\IEExamples\psbwlogo.gif.exe
9cb679e20480d9be407177f5e83a114d c:\Perl\eg\aspSamples\ASbanner.gif.exe
f8e607c9248525e66bdfe670a4de42eb c:\Perl\eg\aspSamples\Main_Banner.gif.exe
21ee7d6c9501bc5b3d958f998488d675 c:\Perl\eg\aspSamples\psbwlogo.gif.exe
e80d09a98cb09dccc879c49c338f0741 c:\Perl\html\images\AS_logo.gif.exe
7b9a90de54948406f1d374392ebdb824 c:\Perl\html\images\PerlCritic_run.png.exe
e3795b40a30a2b98daaa1120934e74d9 c:\Perl\html\images\aslogo.gif.exe
992fab433c1a3512cb7b76ce558c1651 c:\Perl\html\images\ppm_gui.png.exe
16a150350a9fb92185332fd396e237ae c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe
4c840e891b2a2c1ee91cec2aa0f383d8 c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe
efcf1e8642a0149876716286a1e21981 c:\Perl\lib\Devel\NYTProf\js\asc.png.exe
3ae6868b6b6088c1e10c9c3ce3b9857f c:\Perl\lib\Devel\NYTProf\js\bg.png.exe
38f8bd6c8070fe8c62ebda2f1eacac8b c:\Perl\lib\Devel\NYTProf\js\desc.png.exe
edfead1bb46e120bebe596b09acaff94 c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe
7334cda6907de5c37e6abd56b4ddce78 c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe
339009e85f825e0bac0fe4a82d6817d4 c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe
a81bb3c3eb3ae66ff726725d50a34dc3 c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe
def1217bdc9ecd5042bc23d6911f7f67 c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe
3ded0886cc64c9878affb5ddfe9b6de0 c:\Perl\lib\Mozilla\CA\cacert.pem.exe
d926bfd9deae877f6fcc164cc9b86708 c:\totalcmd\TCMADMIN.EXE.exe
f53c24cc8a7bb1102e83b27fe1399191 c:\totalcmd\TCMDX32.EXE.exe
4f80d090e1ef1108434e80dc73491666 c:\totalcmd\TCUNINST.EXE.exe
3cfeab035c2d6ecfc734f7086abc3040 c:\totalcmd\TOTALCMD.EXE.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 495616 493568 5.50839 a102da7ab16f7d35b84754ff029724ac
.rdata 499712 4096 512 1.90742 00db3b4bac4fd4c90796d9c4f991d10f
.data 503808 280 512 2.84706 607b6016384674450e6edebd81225dba
.rsrc 507904 4444 4608 2.85679 9d92d0d5f3300d182f67b4c8e3d27e88

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1164
    %original file name%.exe:308
    %original file name%.exe:1268
    %original file name%.exe:1160
    %original file name%.exe:1144
    %original file name%.exe:884
    %original file name%.exe:1168
    %original file name%.exe:608
    %original file name%.exe:1924
    %original file name%.exe:1928
    %original file name%.exe:596
    %original file name%.exe:344
    %original file name%.exe:1948
    %original file name%.exe:1836
    %original file name%.exe:1232
    %original file name%.exe:1772
    %original file name%.exe:1852
    %original file name%.exe:668
    %original file name%.exe:956
    %original file name%.exe:1568
    %original file name%.exe:1500
    %original file name%.exe:1372
    %original file name%.exe:508
    %original file name%.exe:1376
    %original file name%.exe:916
    %original file name%.exe:348
    %original file name%.exe:1012
    %original file name%.exe:2012
    %original file name%.exe:568
    %original file name%.exe:1092
    %original file name%.exe:772
    %original file name%.exe:616
    %original file name%.exe:1136
    %original file name%.exe:588
    %original file name%.exe:316
    %original file name%.exe:168
    %original file name%.exe:240
    %original file name%.exe:228
    %original file name%.exe:1968
    %original file name%.exe:248
    %original file name%.exe:1640
    %original file name%.exe:908
    %original file name%.exe:1456
    %original file name%.exe:828
    %original file name%.exe:648
    %original file name%.exe:820
    %original file name%.exe:1368
    cscript.exe:1128
    cscript.exe:216
    cscript.exe:1144
    cscript.exe:1952
    cscript.exe:1124
    cscript.exe:316
    cscript.exe:1920
    cscript.exe:1924
    cscript.exe:1548
    cscript.exe:1832
    cscript.exe:1968
    cscript.exe:1772
    cscript.exe:1852
    cscript.exe:1944
    cscript.exe:1568
    cscript.exe:320
    cscript.exe:188
    cscript.exe:916
    cscript.exe:348
    cscript.exe:408
    cscript.exe:308
    cscript.exe:448
    cscript.exe:1360
    cscript.exe:1132
    cscript.exe:564
    cscript.exe:1796
    cscript.exe:1956
    cscript.exe:1888
    cscript.exe:1912
    cscript.exe:1016
    cscript.exe:1880
    cscript.exe:860
    cscript.exe:908
    cscript.exe:1768
    cscript.exe:808
    cscript.exe:1100
    cscript.exe:648
    cscript.exe:1760
    cscript.exe:1740
    cscript.exe:1368
    cscript.exe:516

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7971 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (3073 bytes)
    C:\totalcmd\TCMADMIN.EXE.exe (3361 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (3073 bytes)
    C:\totalcmd\TOTALCMD.EXE.exe (31071 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (3073 bytes)
    C:\totalcmd\TCUNINST.EXE.exe (3361 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3361 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\KAAo.txt (55978 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3361 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
    C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (4185 bytes)
    C:\totalcmd\TcUsbRun.exe (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5873 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\liIkUwcA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kmkkEcoc.bat (112 bytes)
    C:\09c7c108fa1cfa6052d4b24310e3b608 (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ikUMYwwA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LMoEkcUA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eaYEsYkU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RWEkQAwE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sewEIoMs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RukAsUwQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hYcIkoEU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pUEMIcYk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MIgcEkcI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bIIsAMoA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ysQMcIAE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\niwIAAYo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yMwYMUkE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CskoIEgo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KUYQQQcI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LcAQkgYw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oMsAUgMA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\emoIUMEI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YOYwwkEE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XMgUUwoc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\acgscQIg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RswoYwUg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OSQYAkIc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vuMcswUE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AMcUwIUw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vywgEQsE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oswMkgcc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GOIYgskU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mkoYEMYk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IaQQYAUw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EsQwwYsw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QckMUQkM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WecIYIwo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vmwwIsAo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pCMossQI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fSggkEUs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FYwcMAYw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CWQsowMU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LOIQcQos.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RkcIcoME.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NYcUMYso.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hqcMkAoI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YmcggMcs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lEkAsoEM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WIMIAIcI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DCUkUIcQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mmsoYwgk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\seMIkoEU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qWIkYoIc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TwQcoEsA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MIsEAoUI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qecEEccM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pQUgccow.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MmcMUMsM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UGIEQsgM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ouQosYYw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xMkwEIoY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SOIUEAAs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LGEQcoUY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YYMQssoU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OMsoQMwc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fwsYQMAw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uuYIkMUw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FucYMoAY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eYUgMogY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zWwoocAE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GCQYUIsk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MoEwQUsQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZacsIQsg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DScQwgEE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YywcYwos.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pawsAQQM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EuQgUggc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZSkQAwwo.bat (4 bytes)
    %Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3201 bytes)
    %Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (3249 bytes)
    %Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (4057 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UOooMgIo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dQskgIMs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CkgIsUQA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hosIAkIA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jyYEcYIQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cMcEMgUY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IccEIUgI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sekQscYo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oEsUUcgM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LMgIIccc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OmAokUso.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZcYEsgkU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TyQskEkI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xoQYsgAY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yeIUUUYo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NssooooA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IYMAIkQw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UKAcYYQg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wMgMMAIg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pUcAEwIQ.bat (4 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"

  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now