Gen.Variant.Kazy.530639_2a10c7359a

by malwarelabrobot on March 30th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.530639 (B) (Emsisoft), Gen:Variant.Kazy.530639 (AdAware), Bancos.YR, ZeroAccess.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2a10c7359a40e0cef84801d417140453
SHA1: 4f87096476480780bd773addffbdc2ead974b8d5
SHA256: f79cca5cb599d61d613f052024d6b638aadc7b2669d88e62628206ab7d6be4f7
SSDeep: 24576:Dx1 UWONQjDASwS31qF3zHf7fOLQuslJzuMCb:DLXWOWjbt1qF3rD5vP4
Size: 1123840 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-07 11:53:36
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

cscript.exe:216
cscript.exe:1408
cscript.exe:1144
cscript.exe:908
cscript.exe:1796
cscript.exe:444
cscript.exe:1372
cscript.exe:936
cscript.exe:644
cscript.exe:1760
cscript.exe:248
%original file name%.exe:740
%original file name%.exe:1136
%original file name%.exe:620
%original file name%.exe:1772
%original file name%.exe:1628
%original file name%.exe:564
%original file name%.exe:1796
%original file name%.exe:1548
%original file name%.exe:608
%original file name%.exe:368
%original file name%.exe:228
%original file name%.exe:1740
%original file name%.exe:816

The Trojan injects its code into the following process(es):

fGAwoYMM.exe:1940
fGAwoYMM.exe:1856
reIEcoQI.exe:1724
NesIMIQs.exe:1660

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KIAAoAQA.bat (4 bytes)
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OwQkIUkU.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KIAAoAQA.bat (0 bytes)

The process %original file name%.exe:1136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bcEEYwcs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QQIQIUIU.bat (112 bytes)
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bcEEYwcs.bat (0 bytes)

The process %original file name%.exe:620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hywgksUQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LEQssEkM.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LEQssEkM.bat (0 bytes)

The process %original file name%.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qKwsgskQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XeMUowYs.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qKwsgskQ.bat (0 bytes)

The process %original file name%.exe:1628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SEIEYIUI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TyMAgwIY.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SEIEYIUI.bat (0 bytes)

The process %original file name%.exe:564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nwYUoMwA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YagwEoQE.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nwYUoMwA.bat (0 bytes)

The process %original file name%.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ycQsoYoI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\noYYYUQs.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\noYYYUQs.bat (0 bytes)

The process %original file name%.exe:1548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HewcUUsM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jKAAAwcs.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HewcUUsM.bat (0 bytes)

The process %original file name%.exe:608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uygwsEYs.bat (4 bytes)
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tCYAkwYw.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uygwsEYs.bat (0 bytes)

The process %original file name%.exe:368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KgcUEAIw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DoEwAoYY.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KgcUEAIw.bat (0 bytes)

The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7833 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OKMAQUwQ.bat (112 bytes)
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\duksgkUg.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\duksgkUg.bat (0 bytes)

The process %original file name%.exe:1740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UEAMogMg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OQYgooUI.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OQYgooUI.bat (0 bytes)

The process NesIMIQs.exe:1660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)

Registry activity

The process cscript.exe:216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 0B BF 79 CC C6 23 3E 40 0A 1C 79 6F 68 F6 C4"

The process cscript.exe:1408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 52 48 6C A9 3F 72 80 2F DE 31 02 A6 7C 75 EC"

The process cscript.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA CE C7 47 3F D1 59 39 36 98 2E 0E 5A A3 20 22"

The process cscript.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 F3 FA 38 3E E4 EE 6B 61 A1 0D 40 24 4C 18 F2"

The process cscript.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 B1 7B B0 C8 CF 23 92 FD 3B C2 77 6A E5 E4 22"

The process cscript.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 75 63 93 BD 74 7A 52 79 FF C0 D6 A0 E5 AD E3"

The process cscript.exe:1372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 80 52 DB AA C0 DA CE A8 C4 58 CE 3E 2C 58 FA"

The process cscript.exe:936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 25 DE 43 37 0F 6D AB 73 33 01 16 3C 25 AD 89"

The process cscript.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 AD 11 39 05 A0 44 5F D0 AD 4E 52 D4 2F C4 92"

The process cscript.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 45 35 01 F5 C3 23 5D 0B E5 50 5E FC 25 33 AD"

The process cscript.exe:248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 85 94 89 56 26 CE 8F BE B8 F0 74 C3 C4 B3 10"

The process fGAwoYMM.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 9D 95 E8 EA B0 78 1C 67 7D 43 93 B8 40 C9 DD"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The process fGAwoYMM.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 21 7D E8 29 95 63 0D 04 86 34 66 08 06 C0 E9"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The process reIEcoQI.exe:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 87 D1 D3 FD B0 E5 CB 64 94 39 B4 72 A4 1A 32"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process %original file name%.exe:740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D CD 8C 63 48 1F 06 16 FE E8 EF 2C DD EE 2F 82"

The process %original file name%.exe:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 D4 55 BF A1 A4 AE CA C7 87 1D 1E 80 0A A5 0F"

The process %original file name%.exe:620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 37 71 F0 7D 60 76 AD 19 CB D6 78 BF 99 AA D9"

The process %original file name%.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 C6 56 B4 FE 0E DC 6B F3 EB AA D9 E4 08 3C 0D"

The process %original file name%.exe:1628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 94 3F D8 44 07 5D CC 94 91 06 3F B7 91 E6 25"

The process %original file name%.exe:564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 85 D6 02 A7 B6 CC 41 A5 28 14 45 F8 66 C3 E5"

The process %original file name%.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 09 65 16 75 6A 9A 2F EE AE 02 42 DF FF 7C DE"

The process %original file name%.exe:1548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC A1 93 58 BE 11 AA A7 23 E4 A4 2C FC 0C 47 26"

The process %original file name%.exe:608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 27 87 2E 4C 2B 59 E2 12 49 9F F8 4C 7A 02 58"

The process %original file name%.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 CF D2 80 C7 2C 52 33 9A 84 FC 5B 00 69 1E B4"

The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E E0 2C EA FE 06 93 2B 7C 2D B8 F0 0D C9 E7 0F"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process %original file name%.exe:1740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 70 56 74 87 E1 F2 74 1C 8B 27 EF A9 06 B4 40"

The process %original file name%.exe:816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 9A D3 EC 83 06 F4 86 E1 F1 7A DA 77 D9 4F E7"

The process NesIMIQs.exe:1660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 92 4F 0A 11 5E BA C0 0D 7E 15 17 DC D0 A2 4B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

Dropped PE files

MD5 File path
e8fc200190c7f9c4a40a2c44398477fb c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
9511471bd28814aa5f7a72a6ed377e0b c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
68ef93f4728365d20c6c5be750230a08 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
b24ebec30a90265b7b7cff945cc45cb6 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
90b43ba2548b43e61590b39b73c68760 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
9091a04a7d1cba56cdfc8d3085985e7c c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
ee237dd48a9a197a640df61ab1deb252 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
bb205427484d41e2360ceaa8c4a1f9c8 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
0c58b3efae146c7e1e923bf4dc1d5a52 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
1a74d63f89d16aefec5849fb30b29e2f c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
adf1f93c330f26068e26d790ea169ac0 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
3f2d689ec1a24bfeb31a89a4f0b5831a c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
abf2c5e3f20af8110a14a0d19c00a9a1 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
f6d5eaa7591de18a108a01853dc198a5 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
22765edf671b76346accc030d495a3ea c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
5cb70902b4d4bbafd78eb79f9395f6f5 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
9c3e57d5e9f43b3aabf5082c17efa0d7 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
ead566cace101556a513fc6388fd3b5d c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
2738331142d7e8d9b0c1c0a5f00a7b54 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
45e1a9f5163d2fa06b0877ce3639d50f c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
01ecb02a933250223f56f09cf815c4fd c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
e68264ecda7fd1253bf31877ffceadf6 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
2475cf4a0bfe3ede1e2192ed959345fc c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
dd60ebcaf934902261a8f6e48d537705 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe
5a7bb76660db82fcca9caf6345948377 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
fdb47625c613527f1edc7c918dd30275 c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
a9fa128ef421249430a2a39cb884139a c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
4fb6b7b9f0611b599c1cf69da79b775c c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
45b1947ca7622ec1e56fe712aed4fcb2 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
5baa5f820fb90f5de3b20e73e910e32c c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
17a6bc90267d674e0ea846f832f4b616 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
e3845233db01db69d786334d4213d40b c:\Documents and Settings\All Users\JuwEIgUE\reIEcoQI.exe
096b32792a6f603247f98026859c8a61 c:\Documents and Settings\All Users\hcYYccwo\NesIMIQs.exe
6695393d7ffe505a24721b3b899f2d47 c:\Documents and Settings\"%CurrentUserName%"\dUskcAww\fGAwoYMM.exe
e6bbd5be354b57a061e94b2ddf0ab916 c:\Perl\eg\IEExamples\ie_animated.gif.exe
e863ca9013dc802de87d9d0bcf365fd0 c:\Perl\eg\IEExamples\psbwlogo.gif.exe
2002077e64bda37bff57535d374bf405 c:\Perl\eg\aspSamples\ASbanner.gif.exe
e7761c9754a7c6861426023e5417f18c c:\Perl\eg\aspSamples\Main_Banner.gif.exe
75a3daeb81c9d17bddf952c1d3be14a6 c:\Perl\eg\aspSamples\psbwlogo.gif.exe
e44daf83ef4e0da641c12342c471294e c:\Perl\html\images\AS_logo.gif.exe
f2ac2082ffece1d878a17f22becbe4d4 c:\Perl\html\images\PerlCritic_run.png.exe
b45aad3475a362415729d793c722f987 c:\Perl\html\images\aslogo.gif.exe
7a3d8ed256fa747d5cfe55d2830d0c37 c:\Perl\html\images\ppm_gui.png.exe
bdb63b6a4d521e0c94a49cb646e2c31b c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe
72725a7052c6e82b4d9ceb17187ffabb c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe
126ba5d097f2ab120a8f8f89b998c5d9 c:\Perl\lib\Devel\NYTProf\js\asc.png.exe
c88325539c11651e45a9744c4d418bb7 c:\Perl\lib\Devel\NYTProf\js\bg.png.exe
1a59b50d7bfe03cd6da3bf085522867d c:\Perl\lib\Devel\NYTProf\js\desc.png.exe
6f2bf1dfbef7e17b4ecc48b2eff945e8 c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe
3f29d2997f9fb6a26291624668543e4d c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe
1e5aff2d2a90c4ff079e35f8e15a2b3c c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe
f2c5ac82f98db53c20ce4ebe505c0f49 c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe
25fbd17f9fcc64b28839285662bdb7e1 c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe
0e4ada8cca6795ab7a5810f963dd8c67 c:\Perl\lib\Mozilla\CA\cacert.pem.exe
ab4a584d84399d65b6e71a2b5157d6d0 c:\totalcmd\TCMADMIN.EXE.exe
cd8c7be27e726d3df2cc16098bab64c4 c:\totalcmd\TCMDX32.EXE.exe
879583eb42826bc7f726e06fd6373401 c:\totalcmd\TCUNINST.EXE.exe
60340895d6c99844ac9aba12f43139f9 c:\totalcmd\TOTALCMD.EXE.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1122304 1119744 5.47553 28ba66a1276326f2d6ccbfff93e074cc
.rdata 1126400 4096 512 2.30377 73d0ca39d8088a3da54ad6e17ab21643
.data 1130496 5 512 0.067931 b476f33081382201f38df08359f0d634
.rsrc 1134592 1372 1536 2.36363 eaa4f9ddd93235c7fe1f3852be0e3515

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    cscript.exe:216
    cscript.exe:1408
    cscript.exe:1144
    cscript.exe:908
    cscript.exe:1796
    cscript.exe:444
    cscript.exe:1372
    cscript.exe:936
    cscript.exe:644
    cscript.exe:1760
    cscript.exe:248
    %original file name%.exe:740
    %original file name%.exe:1136
    %original file name%.exe:620
    %original file name%.exe:1772
    %original file name%.exe:1628
    %original file name%.exe:564
    %original file name%.exe:1796
    %original file name%.exe:1548
    %original file name%.exe:608
    %original file name%.exe:368
    %original file name%.exe:228
    %original file name%.exe:1740
    %original file name%.exe:816

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\KIAAoAQA.bat (4 bytes)
    C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OwQkIUkU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bcEEYwcs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QQIQIUIU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hywgksUQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LEQssEkM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qKwsgskQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XeMUowYs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SEIEYIUI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TyMAgwIY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nwYUoMwA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YagwEoQE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ycQsoYoI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\noYYYUQs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HewcUUsM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jKAAAwcs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uygwsEYs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tCYAkwYw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KgcUEAIw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DoEwAoYY.bat (112 bytes)
    %Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7833 bytes)
    %Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7833 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OKMAQUwQ.bat (112 bytes)
    %Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7833 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\duksgkUg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UEAMogMg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OQYgooUI.bat (4 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
    C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
    C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
    C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
    C:\totalcmd\TcUsbRun.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\KAAo.txt (55978 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
    C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"

  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now