Troj/Agent-VRC

Category: Viruses and Spyware Protection available since:11 Apr 2012 18:19:41 (GMT)
Type: Trojan Last Updated:11 Apr 2012 18:19:41 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Agent-VRC exhibits the following characteristics:

File Information

Size
52K
SHA-1
f57d1cf4280f8ea09689479075f900efcfa3eac1
MD5
a2890ba6dc1a4f157914601efd000e9b
CRC-32
7982d7c9
File type
application/x-ms-dos-executable
First seen
2012-04-11

Other vendor detection

Kaspersky
HEUR:Trojan.Win32.Generic

Runtime Analysis

Copies Itself To
  • C:\test_item.exe
  • c:\Documents and Settings\test user\Local Settings\Temp\ydvtLsBE87mu4yn.exe
Dropped Files
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.EnCiPhErEd
  • C:\mmjobid
    Size
    11
    SHA-1
    6303b4439fc77d36b530b0fa75ba541dc5a8634c
    MD5
    0d5500e7697a772c30266a086e2d8787
    CRC-32
    56f8c063
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\ActivePerl 5.14.2 Build 1402\Perl Package Manager.lnk.EnCiPhErEd
  • c:\Documents and Settings\test user\My Documents\My Pictures\Sample Pictures.lnk.EnCiPhErEd
  • C:\files.txt.EnCiPhErEd
    Size
    1.4M
    SHA-1
    d2e0b33940f7358847b3d3acb471662edbb6394e
    MD5
    cd03ea9759b3e7b0fe1084590dfe3c37
    CRC-32
    65fe74d9
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Computer Management.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk.EnCiPhErEd
  • c:\Documents and Settings\test user\My Documents\sample1.ppt.EnCiPhErEd
    Size
    12K
    SHA-1
    f8daa39aada8862b5219bfac2d0d8264141fbe55
    MD5
    a46e53ab9f9c7f5a9f6b3a1f9b0cfb6a
    CRC-32
    d05873db
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Internet Backgammon.lnk.EnCiPhErEd
  • C:\Documents and Settings\Default User\Start Menu\Programs\Windows Media Player.lnk.EnCiPhErEd
    Size
    792
    SHA-1
    08634bd5f118ff9d8ef9d8d0a0a5f4f87672141d
    MD5
    3c87b7ffb4a531b8893ab0647d18d1b2
    CRC-32
    05f53a5a
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Local Security Policy.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Internet Checkers.lnk.EnCiPhErEd
  • c:\Documents and Settings\test user\My Documents\GOAT9.XLS.EnCiPhErEd
    Size
    509K
    SHA-1
    30faf0788c1f46e4ead38d1663eda3d7471ed7db
    MD5
    ad6bbd0a79e63ae443b713a3ddf608ee
    CRC-32
    61a5dd51
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Internet Hearts.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Paint.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Internet Spades.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Character Map.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Internet Reversi.lnk.EnCiPhErEd
  • C:\run.bat
    Size
    1.4K
    SHA-1
    90875a4b311d7e2bf718cfc09f2dc4bd47131404
    MD5
    17c612e24457e8a0d80e7bfd349b02ad
    CRC-32
    d95e6236
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\bin\vireng.log
  • C:\Documents and Settings\All Users\Start Menu\Programs\Debugging Tools for Windows (x86)\Debugging Help.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\gVim Read-only.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    48c3332e89b655fbd3e8ce14a31d4b2d9dc39c8e
    MD5
    63d1837904dcc4c2fb67718bcaf0567f
    CRC-32
    6fac9135
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Calculator.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.EnCiPhErEd
  • C:\Documents and Settings\LocalService\Local Settings\Temp\Sophos Anti-Virus Startup Log.txt.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Minesweeper.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\Network Setup Wizard.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Microsoft .NET Framework 1.1 Configuration.lnk.EnCiPhErEd
  • C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk.EnCiPhErEd
    Size
    804
    SHA-1
    e6a08bd0daf989e2352781c2b07a23a848ac6d5a
    MD5
    af39c59f3f48d86ed592300e630587bd
    CRC-32
    38315be0
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Accessibility\Accessibility Wizard.lnk.EnCiPhErEd
  • c:\Documents and Settings\test user\Favorites\Sophos.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.EnCiPhErEd
  • C:\bin\configuresav\services.msc.lnk.EnCiPhErEd
  • C:\Documents and Settings\Default User\Templates\winword2.doc.EnCiPhErEd
    Size
    1.8K
    SHA-1
    ad10845bcd53dc021abb40e5b86c11468b97e1b8
    MD5
    2cff3062c569c7d8dacd94ce4c737429
    CRC-32
    01163267
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\My Documents\GOAT8.XLS.EnCiPhErEd
    Size
    121K
    SHA-1
    d3c5b17a8c5a7e3807eaeaa1c75767b951eedddb
    MD5
    059db982e9ccc196709870779cbe603c
    CRC-32
    2dc9945f
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\bin\configuresav\savmain.exe.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk.EnCiPhErEd
  • c:\Documents and Settings\test user\Application Data\Microsoft\Internet Explorer\brndlog.txt.EnCiPhErEd
  • c:\Documents and Settings\test user\My Documents\SAMPLE1.XLS.EnCiPhErEd
    Size
    32K
    SHA-1
    b66fe9e2bf0a9e66f99776bd4417f5eea5d3a3fc
    MD5
    8a8bb8252376798f6fae1a66c53def1a
    CRC-32
    c3189a6d
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk.EnCiPhErEd
  • C:\Documents and Settings\Default User\Templates\powerpnt.ppt.EnCiPhErEd
    Size
    12K
    SHA-1
    5dd4eb08d43feae0dca803455aa9b49b69cac1c0
    MD5
    f6faac5303eee140f32024098372d1dd
    CRC-32
    3c0e3794
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Debugging Tools for Windows (x86)\Release Notes.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.EnCiPhErEd
  • C:\bin\OLD\mqTEST.txt.EnCiPhErEd
  • C:\bin\cmd.exe.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\New Connection Wizard.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.EnCiPhErEd
  • C:\bin\configuresav\Config.lnk.EnCiPhErEd
  • C:\bin\AMC1.TXT.EnCiPhErEd
  • C:\bin\OLD\drivers.zip.EnCiPhErEd
  • C:\bin\configuresav\Sophos Anti-Virus CustomActions Log.txt.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\ActivePerl 5.14.2 Build 1402\Perl Critic.lnk.EnCiPhErEd
  • C:\bin\configuresav\cmd.exe.lnk.EnCiPhErEd
  • C:\bin\configuresav\Temp.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\Network Connections.lnk.EnCiPhErEd
  • C:\bin\configuresav\Sophos Anti-Virus.lnk.EnCiPhErEd
  • C:\bin\_notepad++.exe.lnk.EnCiPhErEd
  • C:\bin\OLD\configuresav.zip.EnCiPhErEd
  • C:\bin\info.txt.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Component Services.lnk.EnCiPhErEd
  • C:\bin\changelog.txt.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\System Information.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\support.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\HyperTerminal.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\WordPad.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\Uninstall.lnk.EnCiPhErEd
    Size
    1.6K
    SHA-1
    61fd6421dff5d7d68cbed06cc34bb5092a9c9679
    MD5
    d625a10da710c317846972865fd4f6fd
    CRC-32
    1b2bda75
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\bin\loggers1.vbs
    Size
    432
    SHA-1
    c5d4582fd589851bad73f62f3e416b6da87624da
    MD5
    e86e199876e5c12c6841bd986c0f722c
    CRC-32
    e82fa941
    File type
    application/octet-stream
    First seen
    2012-03-13
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk.EnCiPhErEd
  • C:\bin\loggers2.vbs
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Entertainment\Sound Recorder.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\Wireless Network Setup Wizard.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Backup.lnk.EnCiPhErEd
  • c:\Documents and Settings\test user\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    80a7058a25e5685f7e600c7395c867d5232ee5b2
    MD5
    f84b3dac7f7abfbd9882827e85da2c69
    CRC-32
    7013fcf6
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\gnu\bin\Command Prompt.lnk.EnCiPhErEd
    Size
    1.6K
    SHA-1
    941632467747086d559d018447cab3098a14e30c
    MD5
    528e89f8dd362c666a3234b7a31bc7f1
    CRC-32
    0af4125e
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk.EnCiPhErEd
    Size
    804
    SHA-1
    cf5b3cb1998e76245929d590e54befbfcf786506
    MD5
    e5bcb6fee836383c554bebf6a80a498b
    CRC-32
    f8da986c
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\My Documents\GOAT4.XLS.EnCiPhErEd
    Size
    61K
    SHA-1
    9a33ec69c8ef6f23b38f3f8ee53e4bd2b67ebad8
    MD5
    0f0b49961db33fe4c155932dce83d23a
    CRC-32
    6b6cd7e0
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Accessories\Tour Windows XP.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    995d5760817f8c7e19b32db25d7b4837aff21b40
    MD5
    3d8c4fe351b21a0b3bd129b70f8e8719
    CRC-32
    d974e2c6
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Accessories\Command Prompt.lnk.EnCiPhErEd
    Size
    1.6K
    SHA-1
    de36fdd74c7961eea689b725e9db8e1cf4ef3f78
    MD5
    e3a0aec1f1e514e6f0457ef0bfa6b56b
    CRC-32
    fbe60830
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Internet Explorer.lnk.EnCiPhErEd
    Size
    767
    SHA-1
    3bbef842ffc76b28b7a6beb7c80b5f1cbe3d7570
    MD5
    bf4fe3f8416cd2a275384b00b6631c6d
    CRC-32
    53602141
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\ALMon.lnk.EnCiPhErEd
    Size
    770
    SHA-1
    c780deae601466fdf8ac8b9896d412baddf3ebcc
    MD5
    f5822fcb8238e50cdc568f60a235ce91
    CRC-32
    15cfd930
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Entertainment\Volume Control.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Debugging Tools for Windows (x86)\Uninstall Debugging Tools for Windows (x86).lnk.EnCiPhErEd
  • C:\bin\_regedit.exe.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Microsoft .NET Framework 1.1 Wizards.lnk.EnCiPhErEd
  • c:\Documents and Settings\test user\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    9369f96d857f123fba292313489cb3b07a9fac8e
    MD5
    ec2633b3c93b8ab672f87407e3936693
    CRC-32
    5386ad09
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Windows Media Player.lnk.EnCiPhErEd
    Size
    792
    SHA-1
    172ead7acb3fbfb9712419ce09a8a34af2b0690a
    MD5
    98ba7c48676fd9e2cbe1e7fc385a1eaf
    CRC-32
    331cb3bd
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Templates\excel4.xls.EnCiPhErEd
    Size
    1.5K
    SHA-1
    1fafd62de50629f3fe6b8c2d5ac1ba338079c008
    MD5
    fb7658e7504f52aac20b4412598a3197
    CRC-32
    f6f2174a
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Accessories\Synchronize.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    6aa2d1a666b824e5cd7733868753db8ba2089cb0
    MD5
    c16c680cb99f574f7ee4fb0ed20ce523
    CRC-32
    9b8c83e9
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Outlook Express.lnk.EnCiPhErEd
    Size
    738
    SHA-1
    4b5e4ca0d055b997be6766056a9d14e22d61bf4a
    MD5
    6cc5cb133722731fcd998e93f110af32
    CRC-32
    a8c18fa8
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Sample ActiveX Database\Sample ActiveX Controls Database.lnk.EnCiPhErEd
    Size
    736
    SHA-1
    7133a9fb8cf65a303896e9e8f264360d03c4197f
    MD5
    f567deb0c63c03a6d214db6b8cc92688
    CRC-32
    7ff4b1ca
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Accessories\Windows Explorer.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    8bb10eac8ddcc56f28e8f3c7d02723fd41d60af1
    MD5
    79ad478f8f475379fd8a584aaccf5ecf
    CRC-32
    c3364335
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Templates\excel.xls.EnCiPhErEd
    Size
    5.5K
    SHA-1
    8a4e298791e2bc4d40f1218f1b5f3fad2a9e414c
    MD5
    f4bd2d36bd0c1b83f797a5c2116e1243
    CRC-32
    5317cfb0
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Sample ActiveX Database\Sample ActiveX Controls Readme.lnk.EnCiPhErEd
    Size
    587
    SHA-1
    e12e990ce4809f5acc98f53a7654cca30417d7de
    MD5
    95c564bf73f37fcde1577b1030de8d03
    CRC-32
    89a94233
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Accessories\Notepad.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    a41270dde1a3d85a91667aa6edbf0e64842bb2af
    MD5
    6fc1c5cee0f10d981173f7a9513243c0
    CRC-32
    0655377f
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\gnu\bin\README.TXT.EnCiPhErEd
    Size
    693
    SHA-1
    5408a4bd578b5f9ed06939826853572c85f15f84
    MD5
    943732bfd7e3539aae9d9600da80d204
    CRC-32
    58fd7c7c
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\screencap.png
    Size
    47K
    SHA-1
    b7a4c458dbeab4f0b685294df52b0281ad2a4072
    MD5
    242f2500987bcad65723933d28056df3
    CRC-32
    14b9ced9
    File type
    image/x-png
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk.EnCiPhErEd
    Size
    386
    SHA-1
    f132283a3a18bf4b03504d5694002856702dd56c
    MD5
    7a44c77a31753b81c9a51f5f32cd11ae
    CRC-32
    0a61ebf1
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\cmd.exe.lnk.EnCiPhErEd
    Size
    1.6K
    SHA-1
    97517e6fafdab570aae50ff38253479088c61037
    MD5
    d5d3e6877c8f4d33f7def3b9751f42df
    CRC-32
    1fdb91b4
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Templates\sndrec.wav.EnCiPhErEd
  • c:\Documents and Settings\test user\Start Menu\Internet Explorer.lnk.EnCiPhErEd
    Size
    104
    SHA-1
    7ab967085061346b0ecb6b2672dcb3407aa9d2ff
    MD5
    54ab2de17189513c20fa3c0af21e0626
    CRC-32
    ae8bfb0f
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\gnu\doc.zip.EnCiPhErEd
    Size
    18M
    SHA-1
    052e0931ed9286b42cecc42fe95c6a6eab8439b4
    MD5
    0e8b91fec421dbd4d997e2636013a8ab
    CRC-32
    4fad74a8
    File type
    application/zip
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    331737766ca59f3478db26ab40c8abbfa15c2fab
    MD5
    b82785d9c0eb0c1124ea184742034be7
    CRC-32
    9eab2f85
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk.EnCiPhErEd
    Size
    1.6K
    SHA-1
    e78b69a221749571ca8c9ae59e61493b31cb4da6
    MD5
    6cc83203cd4c4d0264b40ce0b2baf924
    CRC-32
    13242637
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Start Menu\Programs\Remote Assistance.lnk.EnCiPhErEd
    Size
    1.6K
    SHA-1
    b6f30f341947388d3319ecca5c382342726b6410
    MD5
    13a81e258ea7a3e3c30caee54a99c036
    CRC-32
    9825a35a
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Templates\powerpnt.ppt.EnCiPhErEd
    Size
    12K
    SHA-1
    5dd4eb08d43feae0dca803455aa9b49b69cac1c0
    MD5
    f6faac5303eee140f32024098372d1dd
    CRC-32
    3c0e3794
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\My Documents\GOAT5.XLS.EnCiPhErEd
    Size
    77K
    SHA-1
    690f2ea33af8e451e37f8b63df30c6c2a1d5cd1c
    MD5
    3515580033fefd12018a72ee2bfc14fd
    CRC-32
    ea93bc29
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Templates\winword2.doc.EnCiPhErEd
    Size
    1.8K
    SHA-1
    ad10845bcd53dc021abb40e5b86c11468b97e1b8
    MD5
    2cff3062c569c7d8dacd94ce4c737429
    CRC-32
    01163267
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\gnu\contrib.zip.EnCiPhErEd
    Size
    2.3M
    SHA-1
    f72ea7910f18d89c8b41497369cc7e66611e6515
    MD5
    cdeb7567060cfcbb5ede35e34c731040
    CRC-32
    a7173628
    File type
    application/zip
    First seen
    2012-04-11
  • C:\gnu\info.zip.EnCiPhErEd
    Size
    1.1M
    SHA-1
    1ab2daa8492c7cb659a3d72c1e9b7121ed15743b
    MD5
    d1c664e796791ed1f3760b4b208f28f1
    CRC-32
    1a2dae66
    File type
    application/zip
    First seen
    2012-04-11
  • C:\ides.zip
    Size
    10.0M
    SHA-1
    73d09a373a9a7ec809e508e1196c0703b101d49f
    MD5
    89d741fcf576d7778317026c46e2e1cd
    CRC-32
    6cdbda53
    File type
    application/zip
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk.EnCiPhErEd
  • C:\bin\misc\bin_pe_files.zip.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.EnCiPhErEd
  • C:\bin\tile.vbs
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Freecell.lnk.EnCiPhErEd
  • c:\Documents and Settings\test user\My Documents\sample1.doc.EnCiPhErEd
    Size
    27K
    SHA-1
    5b2d5f1d28ff72bde7d95354ae4398ba70c53432
    MD5
    3554f0186424f78f508017cef5491c77
    CRC-32
    fb4fe0d3
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\Default User\Templates\winword.doc.EnCiPhErEd
    Size
    4.5K
    SHA-1
    e178c0e59599f8ad4ba057c2b083549997cac0dc
    MD5
    fae7b085d857d03c37a5367e5511b205
    CRC-32
    f5b353ab
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Tour Windows XP.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    995d5760817f8c7e19b32db25d7b4837aff21b40
    MD5
    3d8c4fe351b21a0b3bd129b70f8e8719
    CRC-32
    d974e2c6
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\My Documents\GOAT3.XLS.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\System Restore.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\Vim.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    4c2714a97c7f5ad464123fc685f94f02ecf9d2e2
    MD5
    0c619ae5ed7979efb18452ec18db4f23
    CRC-32
    b1b7cea5
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Pinball.lnk.EnCiPhErEd
    Size
    885
    SHA-1
    a45a182c894d62f79833557a1edd28cc42c85b58
    MD5
    d34c81830085fff3d0626a955d922599
    CRC-32
    55e16f97
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Synchronize.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    6aa2d1a666b824e5cd7733868753db8ba2089cb0
    MD5
    c16c680cb99f574f7ee4fb0ed20ce523
    CRC-32
    9b8c83e9
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    80a7058a25e5685f7e600c7395c867d5232ee5b2
    MD5
    f84b3dac7f7abfbd9882827e85da2c69
    CRC-32
    7013fcf6
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Windows SDK v7.1\Release Notes.lnk.EnCiPhErEd
    Size
    1.8K
    SHA-1
    274d2fbd61b67c3d9479657711ac3e1a11d18b60
    MD5
    174ffe0f477681bedd42a26598143d69
    CRC-32
    e9e2fb7e
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\My Documents\GOAT2.XLS.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Debugging Tools for Windows (x86)\WinDbg.lnk.EnCiPhErEd
  • C:\gnu\include.zip.EnCiPhErEd
    Size
    103K
    SHA-1
    884e018f4c3c635f082900235954c1cdd9a333f6
    MD5
    4b88d15925ee4a18fdb2298ce8ae0ce5
    CRC-32
    d9c482f9
    File type
    application/zip
    First seen
    2012-04-11
  • C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt.EnCiPhErEd
    Size
    141
    SHA-1
    af1a9f35ebb960c582213c7584f7f03a81fe4f55
    MD5
    abed687014f42072bc68906c1f94723f
    CRC-32
    aa38b210
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Windows Explorer.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    8bb10eac8ddcc56f28e8f3c7d02723fd41d60af1
    MD5
    79ad478f8f475379fd8a584aaccf5ecf
    CRC-32
    c3364335
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Windows SDK v7.1\Windows SDK 7.1 Command Prompt.lnk.EnCiPhErEd
    Size
    1.8K
    SHA-1
    ccf4ba0c6c2a8ba135dbd9a373e1b03d3e0d50f1
    MD5
    901c6651565f8bb2560381305504a427
    CRC-32
    055fc76b
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\Vim Diff.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    089b759332d43f241e04e29d6b02260af3d9bdf9
    MD5
    c5c6a292e24627273126e46cc850f312
    CRC-32
    59d6e332
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.EnCiPhErEd
  • C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk.EnCiPhErEd
    Size
    1.6K
    SHA-1
    e78b69a221749571ca8c9ae59e61493b31cb4da6
    MD5
    6cc83203cd4c4d0264b40ce0b2baf924
    CRC-32
    13242637
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Debugging Tools for Windows (x86)\Global Flags.lnk.EnCiPhErEd
  • c:\Documents and Settings\test user\Start Menu\Programs\Accessories\Address Book.lnk.EnCiPhErEd
    Size
    774
    SHA-1
    0e49b774129e19e50a25ef6bb52140cb8afbe39b
    MD5
    e974ef3a606437749185fba0292c8a8c
    CRC-32
    eeb49999
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Windows SDK v7.1\Visual Studio Registration\Windows SDK Configuration Tool.lnk.EnCiPhErEd
    Size
    2.0K
    SHA-1
    5ffd6af02bbd85cea6098706ee1c49bd48d4152f
    MD5
    1e68075e3659d35725e94889da637650
    CRC-32
    be6a2189
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk.EnCiPhErEd
    Size
    386
    SHA-1
    f132283a3a18bf4b03504d5694002856702dd56c
    MD5
    7a44c77a31753b81c9a51f5f32cd11ae
    CRC-32
    0a61ebf1
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Event Viewer.lnk.EnCiPhErEd
  • C:\Documents and Settings\Default User\Templates\excel4.xls.EnCiPhErEd
    Size
    1.5K
    SHA-1
    1fafd62de50629f3fe6b8c2d5ac1ba338079c008
    MD5
    fb7658e7504f52aac20b4412598a3197
    CRC-32
    f6f2174a
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\gVim Diff.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    6024620682d18fc17ecfc7428a21dcec8a783349
    MD5
    c82b63f602727dadf7b226f857d060c4
    CRC-32
    a9c6bc48
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\MSN.lnk.EnCiPhErEd
    Size
    2.0K
    SHA-1
    47cda94b48fb7da05de5e8358060681f211c6f41
    MD5
    5a4a9136533b3b43b33e377e123b7e55
    CRC-32
    05d2b63d
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 8.lnk.EnCiPhErEd
    Size
    2.3K
    SHA-1
    542b0279128ed45e003d6e662030871648570bb3
    MD5
    eedb17aa76da28054dc2d2a1572402cc
    CRC-32
    0aa7bc17
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\ImageMagick 6.7.6 Q16\ImageMagick Display.lnk.EnCiPhErEd
    Size
    1.7K
    SHA-1
    2e58c535d8035dfc4d844ae30a133f696572052a
    MD5
    671d63913014312eeb77a64e49ab8b46
    CRC-32
    9821af3f
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Windows SDK v7.1\Tools Reference.lnk.EnCiPhErEd
    Size
    1.9K
    SHA-1
    ceed86b962e9247b1bffcb1e806ee69cb210ae9b
    MD5
    3e0bf81ee777111bdac3c76aac5b5e4d
    CRC-32
    2ce419d5
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\Default User\Templates\excel.xls.EnCiPhErEd
    Size
    5.5K
    SHA-1
    8a4e298791e2bc4d40f1218f1b5f3fad2a9e414c
    MD5
    f4bd2d36bd0c1b83f797a5c2116e1243
    CRC-32
    5317cfb0
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Spider Solitaire.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    09d4dc1bd9ed32009a5828ee418d031ac74a1a71
    MD5
    abe9ed61d1671627830b328159dd91d6
    CRC-32
    11b9154b
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\gVim.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    04b76bf2bfa392126bfc6f17af9af4920f89a0c3
    MD5
    d472ffe47d7d64ab38f5a7b93df54bd7
    CRC-32
    b6a71f1a
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Notepad.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    a41270dde1a3d85a91667aa6edbf0e64842bb2af
    MD5
    6fc1c5cee0f10d981173f7a9513243c0
    CRC-32
    0655377f
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    331737766ca59f3478db26ab40c8abbfa15c2fab
    MD5
    b82785d9c0eb0c1124ea184742034be7
    CRC-32
    9eab2f85
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Solitaire.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    ce1916252a2257e215326f0307df80db2e3f3bd2
    MD5
    8bc2e1ffa75050d2c72a1c0b26461ef2
    CRC-32
    c0b4a9e9
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.EnCiPhErEd
  • C:\Documents and Settings\Default User\Start Menu\Programs\Remote Assistance.lnk.EnCiPhErEd
    Size
    1.6K
    SHA-1
    b6f30f341947388d3319ecca5c382342726b6410
    MD5
    13a81e258ea7a3e3c30caee54a99c036
    CRC-32
    9825a35a
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\My Documents\GOAT7.XLS.EnCiPhErEd
    Size
    106K
    SHA-1
    70edee43ac622fbe4ed072b71b63329453087020
    MD5
    49aecc9f115ef878b976c6bc618ccf5d
    CRC-32
    e8df0a23
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk.EnCiPhErEd
    Size
    609
    SHA-1
    e1a635b876c4e7de9d7805c07bf9d309a0589091
    MD5
    f71d80fb1ea5ec7a2eb424e35ba50fb4
    CRC-32
    9f5d7457
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\Vim Read-only.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    c3b90a7d54fc178029e68998f936d4a6d40fa87d
    MD5
    972c12118a68acc928f420d8bf422d6c
    CRC-32
    b03adb67
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\gVim Easy.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    722213c8029928a350b1f2ea2e5c51384c05aadc
    MD5
    83c5b555ff416ff95eb6dfdbab371d03
    CRC-32
    1174feb1
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\Vim tutor.lnk.EnCiPhErEd
    Size
    1.6K
    SHA-1
    5054f1985e1e9769d4c14909ee62d6fbaf41f0e0
    MD5
    0bfbb25d56a1ab2cccce4a93f0d2d105
    CRC-32
    8e82c77c
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    9369f96d857f123fba292313489cb3b07a9fac8e
    MD5
    ec2633b3c93b8ab672f87407e3936693
    CRC-32
    5386ad09
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\ImageMagick 6.7.6 Q16\ImageMagick Web Pages.lnk.EnCiPhErEd
    Size
    777
    SHA-1
    4681fdca166be2ac772eb29ba88c4b4385442e37
    MD5
    3fb6a979f1a432b55d09af66769b235b
    CRC-32
    ed28717b
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Command Prompt.lnk.EnCiPhErEd
    Size
    1.6K
    SHA-1
    de36fdd74c7961eea689b725e9db8e1cf4ef3f78
    MD5
    e3a0aec1f1e514e6f0457ef0bfa6b56b
    CRC-32
    fbe60830
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Favorites\sau Logs.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk.EnCiPhErEd
    Size
    786
    SHA-1
    d455cc05c374e5d4483951c4d5c995bcabafd1dd
    MD5
    ee0c6bf0c896eb9b7c2bfd32b619c3bb
    CRC-32
    1846591f
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Hearts.lnk.EnCiPhErEd
  • c:\Documents and Settings\test user\My Documents\GOAT6.XLS.EnCiPhErEd
    Size
    91K
    SHA-1
    fde44e6edecd268ff990a40dad658d87a45e55f7
    MD5
    4e560aa274477fd69cbf146b61901f2b
    CRC-32
    488e635b
    File type
    application/octet-stream
    First seen
    2012-04-11
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.EnCiPhErEd
  • c:\Documents and Settings\test user\Desktop\bin.lnk.EnCiPhErEd
  • C:\Documents and Settings\Default User\Templates\sndrec.wav.EnCiPhErEd
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.EnCiPhErEd
  • c:\Documents and Settings\test user\Templates\winword.doc.EnCiPhErEd
    Size
    4.5K
    SHA-1
    e178c0e59599f8ad4ba057c2b083549997cac0dc
    MD5
    fae7b085d857d03c37a5367e5511b205
    CRC-32
    f5b353ab
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\My Documents\My Music\Sample Music.lnk.EnCiPhErEd
  • c:\Documents and Settings\test user\My Documents\GOAT1.XLS.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Performance.lnk.EnCiPhErEd
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\Help.lnk.EnCiPhErEd
    Size
    1.5K
    SHA-1
    7373253680d78c0209f1f5e282d703114f002982
    MD5
    df32baba53f0f392d44a398c4f602d3d
    CRC-32
    2be8a405
    File type
    application/octet-stream
    First seen
    2012-04-11
  • c:\Documents and Settings\test user\Favorites\SAV logs.lnk.EnCiPhErEd
Modified Files
  • %SYSTEM%\wbem\Logs\wbemess.log
    • Changed the file contents
  • %SYSTEM%\config\SAM.LOG
  • %SYSTEM%\config\system.LOG
    • Changed the file contents
  • %SYSTEM%\config\software.LOG
    • Changed the file contents
  • %PROFILE%\Cookies\index.dat
  • %HISTORY%
    • Set the hidden and system flags
  • %SYSTEM%\wbem\Logs\wbemcore.log
    • Changed the file contents
  • %PROFILE%\NTUSER.DAT.LOG
    • Changed the file contents
  • C:\Documents and Settings\LocalService\ntuser.dat.LOG
  • %PROFILE%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
  • %SYSTEM%\wbem\Repository\$WinMgmt.CFG
  • %INTERNET_CACHE%
    • Set the hidden and system flags
  • C:\KMDhips.txt
    • Changed the file contents
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APISPYDRV\0000
    Service
    ApiSpyDrv
  • HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APISPYDRV\0000\Control
    ActiveService
    ApiSpyDrv
  • HKLM\SOFTWARE\Classes\HQPJXVFOZRYXUFB\DefaultIcon
    (Default)
    C:\DOCUME~1\support\LOCALS~1\Temp\ydvtLsBE87mu4yn.exe,0
  • HKLM\SOFTWARE\Classes\.EnCiPhErEd
    (Default)
    HQPJXVFOZRYXUFB
  • HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
    c:\windows\system32\cmdminimentor.exe
    Windows Command Processor
  • HKLM\SOFTWARE\Classes\HQPJXVFOZRYXUFB
    (Default)
    CRYPTED!
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
    MRUListEx
    01 00 00 00 02 00 00 00 00 00 00 00 03 00 00 00 06 00 00 00 05 00 00 00 04 00 00 00 ff ff ff ff
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D414BCA974396B044A35E5BFD25BD9AF\Usage
    SAVService
    0x408b26df
  • HKLM\SOFTWARE\Microsoft\Cryptography\RNG
    Seed
    72 46 89 cf 79 bb 2c bb ab 9d 6b 17 18 91 6d 53 b9 64 a4 4b 9e 12 8a 75 a0 90 0a cc ea 58 07 dc e3 a4 ff 5a d9 c9 b6 32 67 90 34 5f 47 84 50 2f 29 6a 44 40 ab 2d c0 9c b5 71 f8 1c ac 8e 97 5b 2b 7f d5 17 80 7b 71 50 ef c7 b1 a8 30 db 5d 20
  • HKCU\SessionInformation
    ProgramCount
    0x0000000a
  • HKCU\Software\Microsoft\Internet Explorer\Main
    Window_Placement
    2c 00 00 00 02 00 00 00 03 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 2c 00 00 00 2c 00 00 00 66 03 00 00 3c 02 00 00
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
    Count
    0x00000084
  • HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
    (Default)
    0x0000000c
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore
    Count
    0x00000078
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
    Count
    0x00000078
  • HKLM\SOFTWARE\Sophos\SAVService\Status\LastScan
    NormalScan
    0x4f859e2e
  • HKLM\SYSTEM\CurrentControlSet\Services\ApiSpyDrv
    ImagePath
    \??\c:\bin\ApiSpy.sys
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
    Time
    dc 07 04 00 03 00 0b 00 0f 00 06 00 14 00 6f 01