Gen.Variant.Kazy.563854_79d968e0ce

by malwarelabrobot on March 30th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.563854 (B) (Emsisoft), Gen:Variant.Kazy.563854 (AdAware), Bancos.YR, ZeroAccess.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 79d968e0ce11dd53d7cd00c190ecbda3
SHA1: 3a3e5c0df23129d6e0634d1730387927556f6156
SHA256: 2de772ac1be5c1b059af3192205f8ca371d6187f214c4544e94fc15b15aa2af2
SSDeep: 49152:FsfWSMkEGu jwuCELr5iaEzn1bIbuD4qym4rJnmvsW4fa4QlaOChkMIZ7UxLq:OfmkC ISKd5mmvFsNgfYLq
Size: 3101184 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-07 11:53:36
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

cscript.exe:308
cscript.exe:1948
cscript.exe:1268
cscript.exe:1340
cscript.exe:1336
cscript.exe:1364
cscript.exe:1924
cscript.exe:1952
cscript.exe:1016
cscript.exe:1368
%original file name%.exe:1092
%original file name%.exe:1980
%original file name%.exe:228
%original file name%.exe:244
%original file name%.exe:1768
%original file name%.exe:808
%original file name%.exe:488
%original file name%.exe:188
%original file name%.exe:1912
%original file name%.exe:1760
%original file name%.exe:492

The Trojan injects its code into the following process(es):

fGAwoYMM.exe:1936
reIEcoQI.exe:1488
NesIMIQs.exe:2000
NesIMIQs.exe:820

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process fGAwoYMM.exe:1936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)

The process %original file name%.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OUIYoAAY.bat (4 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QewEUggY.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OUIYoAAY.bat (0 bytes)

The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mkckAEAQ.bat (4 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fcwgQkYo.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mkckAEAQ.bat (0 bytes)

The process %original file name%.exe:244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jKcAQQAU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lkkUUswI.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lkkUUswI.bat (0 bytes)

The process %original file name%.exe:1768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vmgQwUsY.bat (4 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JOYoossA.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vmgQwUsY.bat (0 bytes)

The process %original file name%.exe:808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yicAccUc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QyQUEoYI.bat (112 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yicAccUc.bat (0 bytes)

The process %original file name%.exe:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xUgUYQMY.bat (4 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (24578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yMUQIUck.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jEAUUokM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qwIAkYQw.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xUgUYQMY.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qwIAkYQw.bat (0 bytes)

The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7905 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7857 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YecwkIUw.bat (112 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7929 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ickwowks.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ickwowks.bat (0 bytes)

The process %original file name%.exe:1912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jKIQAEIY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aSQcYkIU.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aSQcYkIU.bat (0 bytes)

The process %original file name%.exe:1760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mAUAAMEE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fEccIEYQ.bat (4 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fEccIEYQ.bat (0 bytes)

The process %original file name%.exe:492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oSUkQMoA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JkUwgwMQ.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oSUkQMoA.bat (0 bytes)

Registry activity

The process cscript.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 67 BD 63 01 65 D8 E1 11 0E 49 46 1A 95 3B 47"

The process cscript.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 B6 61 07 DA F0 18 4B 58 00 E0 60 2D A5 2A 7D"

The process cscript.exe:1268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 17 95 97 E6 95 65 30 5A AA 2C 22 62 6D 0C B2"

The process cscript.exe:1340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD ED 12 E0 9C 11 21 DE 79 D1 F8 ED 1F 2E 6E C6"

The process cscript.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C B3 18 FB 11 3B 1D D3 4D 8E D9 67 A8 B8 54 A4"

The process cscript.exe:1364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 35 D4 73 ED A2 CE 0B 79 01 3B 99 58 71 48 D9"

The process cscript.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F C7 92 59 67 A5 68 26 BB 90 08 1A 03 CE 13 0C"

The process cscript.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 F3 C0 F3 38 A9 9C 5F 2E 01 57 25 EE 61 94 A5"

The process cscript.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 20 E9 2F 59 DC FA C5 4A B3 72 D9 68 44 D7 2F"

The process cscript.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 32 3D F1 32 C6 F5 03 01 97 FD 3E 78 50 8A 17"

The process fGAwoYMM.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 72 4E 8C B3 B1 84 12 9E BF AD AF EA B2 80 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The process reIEcoQI.exe:1488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 B0 A8 E0 52 DD 24 62 B8 73 AF 1F D7 34 65 F8"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process NesIMIQs.exe:2000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 65 84 92 BA FB 26 72 1F 80 04 8E 5C 72 82 AB"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process NesIMIQs.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 67 5F C4 7F 5C F3 A9 8D D9 92 F9 14 06 C4 26"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process %original file name%.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 9B 49 14 72 F7 BD DF 8B 73 00 F2 6A 27 55 6D"

The process %original file name%.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 BF 50 88 4C E1 19 17 49 1B 68 0A C3 16 60 2C"

The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 25 6E 43 DF 7F EC 28 49 3A 4F 65 8E 7E A1 2F"

The process %original file name%.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 3F 3A 68 4E CA 3F 32 ED 18 18 BD 2A D5 E7 B2"

The process %original file name%.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 9C 30 80 44 ED 1E 09 5A 87 95 41 68 28 10 5A"

The process %original file name%.exe:808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 4C 78 50 FF B8 DE AF 8B 3B 6D FA FB 25 33 47"

The process %original file name%.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 4B 27 38 C6 1F 74 46 D6 1E 79 EE 10 14 BD 31"

The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C CA 47 C6 91 12 F8 AE 9C 1E 24 57 A2 1F 27 D7"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process %original file name%.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 75 FA 11 27 9E EF 80 18 71 7A D3 3B E9 39 60"

The process %original file name%.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 FB 25 BB C3 3C D1 05 EC EA 14 D5 96 37 B1 0A"

The process %original file name%.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 D3 A6 A2 24 27 C0 C0 44 E5 E9 59 3B 9A 85 D9"

Dropped PE files

MD5 File path
c90ae6d96ae6f2764a61863fdc761990 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
a8cae74117f87b42de530ae35fc9bd08 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
11e9c5a8149487e7c5cd733fd89140cf c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
e0cd41d079435842dc854b31edca01cf c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
ad603b137bc184269629e44a1d3c0617 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
47b561ea08b827f5157e70cb336a76f4 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
6d3be859a073c9919ebf26a43ea84254 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
d66c2928f520298afc09d873dac2cf84 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
7caf3c95d42f3abfaad20a3d0ec129c3 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
fbd58375d8eab11c9eda6161daeeeb76 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
364ef27fda6fb9ef1ac4960c34575237 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
ae5cad5ff7ca1675053cac58b629cd03 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
5e6e683e19ee5532422c963a9e94da0b c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
2a1b8a6ee1a22fcd8247d1c67d13de43 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
cc71bf46cd897274a7be24763d5036a3 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
c18dd3ca8988a9a98a748e0b0474f530 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
ed58015ca7fd41e32097b9f69cb6d57a c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
b3500ce0d0f730fa78ac0a8b25147b65 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
aafd92c60e143ccfa58f04c428ac7625 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
71e8f13638afe1e757a9461c517414cb c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
830dfb57c28a421cb82492ab90a0de0d c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
776549bf44fac52998e740b2151803ec c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
15208c831782ffd183dc6cbda4cb5240 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
c818bba899f886f7ef2b0576746ff638 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe
cff109567dbd24eaa0cedf62279a3204 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
be157d9a477008b6c1ec3c7e21d31028 c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
dba54957e5ff9695699a864e93d17138 c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
830cbbdd3ec147f950382b8eee7f26d1 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
aa601218da3dbe5be58cbbb9a5559322 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
f143e41e6b49d2e7aa25fcc404fe9e47 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
fc47fdd9280c137fa224da65eb82b9e6 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
aa481d84a8ecb76abfb6ddc5f9c3f15f c:\Documents and Settings\All Users\JuwEIgUE\reIEcoQI.exe
bcbb36c92746f037db97af144fe01802 c:\Documents and Settings\All Users\hcYYccwo\NesIMIQs.exe
e3a26ef2d4045a7cd4eec38841581cc2 c:\Documents and Settings\"%CurrentUserName%"\dUskcAww\fGAwoYMM.exe
5671404965d34fca0da22b30817a6b6f c:\Perl\eg\IEExamples\ie_animated.gif.exe
774bf80c5fc85b508e778fa8a4f11ea1 c:\Perl\eg\IEExamples\psbwlogo.gif.exe
3f6fc019800b5ff777e6a4feb92db573 c:\Perl\eg\aspSamples\ASbanner.gif.exe
48c262d657ea5fefa7dfca596b7be255 c:\Perl\eg\aspSamples\Main_Banner.gif.exe
ffbc6e2860cfae23553acfe7c09a275f c:\Perl\eg\aspSamples\psbwlogo.gif.exe
a19fdfc0cb905f066ceb4d52cf5cf073 c:\Perl\html\images\AS_logo.gif.exe
0bd77af5c1f874535f84cc7267f66cee c:\Perl\html\images\PerlCritic_run.png.exe
206a786acd3aa3096049af5640c05340 c:\Perl\html\images\aslogo.gif.exe
2b1f9763f4a54489ef5731485690f3c7 c:\Perl\html\images\ppm_gui.png.exe
c087eaad01b029bfad6d1b13934a41ca c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe
ca81773800bcac2460de4cc51e4659d8 c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe
5959b9448c3ace5c8e2cb404dd8139b9 c:\Perl\lib\Devel\NYTProf\js\asc.png.exe
c57cd8484db30259ac6b39dc8a10db8a c:\Perl\lib\Devel\NYTProf\js\bg.png.exe
c3d2793b1d207a52fbd39451e4805f1e c:\Perl\lib\Devel\NYTProf\js\desc.png.exe
1eddce72256fda590ad56438d0b74edf c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe
ce3ccf97c8a4a7023217ecf5950703db c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe
2d96b1e729f043d0e0e7eb665e6d969c c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe
8290990f796f3095080c0d9cea52f7c3 c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe
41f9390a8ce5e0f97ec265b45d354611 c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe
eb78a589630bd6904ac8c4e3f2fe3583 c:\Perl\lib\Mozilla\CA\cacert.pem.exe
99459b939a4ce07566851706e94e6d0a c:\totalcmd\TCMADMIN.EXE.exe
a65ec9cf1d0f22b1f91d3fb38e953a00 c:\totalcmd\TCMDX32.EXE.exe
8332a4e74ab6bb1d4ec8fe5ef15260aa c:\totalcmd\TCUNINST.EXE.exe
14b56e9ff565f3fa6543a019a88163bb c:\totalcmd\TOTALCMD.EXE.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 3096576 3094016 5.52995 b112711f2e531b745c86416fcc97d4c5
.rdata 3100672 4096 512 1.27152 9cefed5e5bd362bd8160aa3154a70ed9
.data 3104768 3 512 0.042395 48ea7cf0c3eae42953cca5d7768ab661
.rsrc 3108864 4444 4608 3.23525 b7d8131698f7481a2f125f8eb5da7b32

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    cscript.exe:308
    cscript.exe:1948
    cscript.exe:1268
    cscript.exe:1340
    cscript.exe:1336
    cscript.exe:1364
    cscript.exe:1924
    cscript.exe:1952
    cscript.exe:1016
    cscript.exe:1368
    %original file name%.exe:1092
    %original file name%.exe:1980
    %original file name%.exe:228
    %original file name%.exe:244
    %original file name%.exe:1768
    %original file name%.exe:808
    %original file name%.exe:488
    %original file name%.exe:188
    %original file name%.exe:1912
    %original file name%.exe:1760
    %original file name%.exe:492

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
    C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
    C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
    C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
    C:\totalcmd\TcUsbRun.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\KAAo.txt (55978 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
    C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OUIYoAAY.bat (4 bytes)
    C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QewEUggY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mkckAEAQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fcwgQkYo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jKcAQQAU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lkkUUswI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vmgQwUsY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JOYoossA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yicAccUc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QyQUEoYI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xUgUYQMY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yMUQIUck.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jEAUUokM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qwIAkYQw.bat (4 bytes)
    %Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7905 bytes)
    %Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7857 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YecwkIUw.bat (112 bytes)
    %Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7929 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ickwowks.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jKIQAEIY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aSQcYkIU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mAUAAMEE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fEccIEYQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oSUkQMoA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JkUwgwMQ.bat (112 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"

  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now