HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.530639 (B) (Emsisoft), Gen:Variant.Kazy.530639 (AdAware), Bancos.YR, ZeroAccess.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2a10c7359a40e0cef84801d417140453
SHA1: 4f87096476480780bd773addffbdc2ead974b8d5
SHA256: f79cca5cb599d61d613f052024d6b638aadc7b2669d88e62628206ab7d6be4f7
SSDeep: 24576:Dx1 UWONQjDASwS31qF3zHf7fOLQuslJzuMCb:DLXWOWjbt1qF3rD5vP4
Size: 1123840 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-07 11:53:36
Analyzed on: WindowsXP SP3 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
cscript.exe:216
cscript.exe:1408
cscript.exe:1144
cscript.exe:908
cscript.exe:1796
cscript.exe:444
cscript.exe:1372
cscript.exe:936
cscript.exe:644
cscript.exe:1760
cscript.exe:248
%original file name%.exe:740
%original file name%.exe:1136
%original file name%.exe:620
%original file name%.exe:1772
%original file name%.exe:1628
%original file name%.exe:564
%original file name%.exe:1796
%original file name%.exe:1548
%original file name%.exe:608
%original file name%.exe:368
%original file name%.exe:228
%original file name%.exe:1740
%original file name%.exe:816
The Trojan injects its code into the following process(es):
fGAwoYMM.exe:1940
fGAwoYMM.exe:1856
reIEcoQI.exe:1724
NesIMIQs.exe:1660
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KIAAoAQA.bat (4 bytes)
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OwQkIUkU.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KIAAoAQA.bat (0 bytes)
The process %original file name%.exe:1136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bcEEYwcs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QQIQIUIU.bat (112 bytes)
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bcEEYwcs.bat (0 bytes)
The process %original file name%.exe:620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hywgksUQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LEQssEkM.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LEQssEkM.bat (0 bytes)
The process %original file name%.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qKwsgskQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XeMUowYs.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qKwsgskQ.bat (0 bytes)
The process %original file name%.exe:1628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SEIEYIUI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TyMAgwIY.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SEIEYIUI.bat (0 bytes)
The process %original file name%.exe:564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nwYUoMwA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YagwEoQE.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nwYUoMwA.bat (0 bytes)
The process %original file name%.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ycQsoYoI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\noYYYUQs.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\noYYYUQs.bat (0 bytes)
The process %original file name%.exe:1548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HewcUUsM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jKAAAwcs.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\HewcUUsM.bat (0 bytes)
The process %original file name%.exe:608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\uygwsEYs.bat (4 bytes)
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tCYAkwYw.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\uygwsEYs.bat (0 bytes)
The process %original file name%.exe:368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KgcUEAIw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DoEwAoYY.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KgcUEAIw.bat (0 bytes)
The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7833 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OKMAQUwQ.bat (112 bytes)
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\duksgkUg.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\duksgkUg.bat (0 bytes)
The process %original file name%.exe:1740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UEAMogMg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OQYgooUI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OQYgooUI.bat (0 bytes)
The process NesIMIQs.exe:1660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
Registry activity
The process cscript.exe:216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 0B BF 79 CC C6 23 3E 40 0A 1C 79 6F 68 F6 C4"
The process cscript.exe:1408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 52 48 6C A9 3F 72 80 2F DE 31 02 A6 7C 75 EC"
The process cscript.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA CE C7 47 3F D1 59 39 36 98 2E 0E 5A A3 20 22"
The process cscript.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 F3 FA 38 3E E4 EE 6B 61 A1 0D 40 24 4C 18 F2"
The process cscript.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 B1 7B B0 C8 CF 23 92 FD 3B C2 77 6A E5 E4 22"
The process cscript.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 75 63 93 BD 74 7A 52 79 FF C0 D6 A0 E5 AD E3"
The process cscript.exe:1372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 80 52 DB AA C0 DA CE A8 C4 58 CE 3E 2C 58 FA"
The process cscript.exe:936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 25 DE 43 37 0F 6D AB 73 33 01 16 3C 25 AD 89"
The process cscript.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 AD 11 39 05 A0 44 5F D0 AD 4E 52 D4 2F C4 92"
The process cscript.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 45 35 01 F5 C3 23 5D 0B E5 50 5E FC 25 33 AD"
The process cscript.exe:248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 85 94 89 56 26 CE 8F BE B8 F0 74 C3 C4 B3 10"
The process fGAwoYMM.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 9D 95 E8 EA B0 78 1C 67 7D 43 93 B8 40 C9 DD"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
The process fGAwoYMM.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 21 7D E8 29 95 63 0D 04 86 34 66 08 06 C0 E9"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
The process reIEcoQI.exe:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 87 D1 D3 FD B0 E5 CB 64 94 39 B4 72 A4 1A 32"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process %original file name%.exe:740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D CD 8C 63 48 1F 06 16 FE E8 EF 2C DD EE 2F 82"
The process %original file name%.exe:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 D4 55 BF A1 A4 AE CA C7 87 1D 1E 80 0A A5 0F"
The process %original file name%.exe:620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 37 71 F0 7D 60 76 AD 19 CB D6 78 BF 99 AA D9"
The process %original file name%.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 C6 56 B4 FE 0E DC 6B F3 EB AA D9 E4 08 3C 0D"
The process %original file name%.exe:1628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 94 3F D8 44 07 5D CC 94 91 06 3F B7 91 E6 25"
The process %original file name%.exe:564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 85 D6 02 A7 B6 CC 41 A5 28 14 45 F8 66 C3 E5"
The process %original file name%.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 09 65 16 75 6A 9A 2F EE AE 02 42 DF FF 7C DE"
The process %original file name%.exe:1548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC A1 93 58 BE 11 AA A7 23 E4 A4 2C FC 0C 47 26"
The process %original file name%.exe:608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 27 87 2E 4C 2B 59 E2 12 49 9F F8 4C 7A 02 58"
The process %original file name%.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 CF D2 80 C7 2C 52 33 9A 84 FC 5B 00 69 1E B4"
The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E E0 2C EA FE 06 93 2B 7C 2D B8 F0 0D C9 E7 0F"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process %original file name%.exe:1740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 70 56 74 87 E1 F2 74 1C 8B 27 EF A9 06 B4 40"
The process %original file name%.exe:816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 9A D3 EC 83 06 F4 86 E1 F1 7A DA 77 D9 4F E7"
The process NesIMIQs.exe:1660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 92 4F 0A 11 5E BA C0 0D 7E 15 17 DC D0 A2 4B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| e8fc200190c7f9c4a40a2c44398477fb | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe |
| 9511471bd28814aa5f7a72a6ed377e0b | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe |
| 68ef93f4728365d20c6c5be750230a08 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe |
| b24ebec30a90265b7b7cff945cc45cb6 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe |
| 90b43ba2548b43e61590b39b73c68760 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe |
| 9091a04a7d1cba56cdfc8d3085985e7c | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe |
| ee237dd48a9a197a640df61ab1deb252 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe |
| bb205427484d41e2360ceaa8c4a1f9c8 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe |
| 0c58b3efae146c7e1e923bf4dc1d5a52 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe |
| 1a74d63f89d16aefec5849fb30b29e2f | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe |
| adf1f93c330f26068e26d790ea169ac0 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe |
| 3f2d689ec1a24bfeb31a89a4f0b5831a | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe |
| abf2c5e3f20af8110a14a0d19c00a9a1 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe |
| f6d5eaa7591de18a108a01853dc198a5 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe |
| 22765edf671b76346accc030d495a3ea | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe |
| 5cb70902b4d4bbafd78eb79f9395f6f5 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe |
| 9c3e57d5e9f43b3aabf5082c17efa0d7 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe |
| ead566cace101556a513fc6388fd3b5d | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe |
| 2738331142d7e8d9b0c1c0a5f00a7b54 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe |
| 45e1a9f5163d2fa06b0877ce3639d50f | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe |
| 01ecb02a933250223f56f09cf815c4fd | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe |
| e68264ecda7fd1253bf31877ffceadf6 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe |
| 2475cf4a0bfe3ede1e2192ed959345fc | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe |
| dd60ebcaf934902261a8f6e48d537705 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe |
| 5a7bb76660db82fcca9caf6345948377 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe |
| fdb47625c613527f1edc7c918dd30275 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe |
| a9fa128ef421249430a2a39cb884139a | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe |
| 4fb6b7b9f0611b599c1cf69da79b775c | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe |
| 45b1947ca7622ec1e56fe712aed4fcb2 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe |
| 5baa5f820fb90f5de3b20e73e910e32c | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe |
| 17a6bc90267d674e0ea846f832f4b616 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe |
| e3845233db01db69d786334d4213d40b | c:\Documents and Settings\All Users\JuwEIgUE\reIEcoQI.exe |
| 096b32792a6f603247f98026859c8a61 | c:\Documents and Settings\All Users\hcYYccwo\NesIMIQs.exe |
| 6695393d7ffe505a24721b3b899f2d47 | c:\Documents and Settings\"%CurrentUserName%"\dUskcAww\fGAwoYMM.exe |
| e6bbd5be354b57a061e94b2ddf0ab916 | c:\Perl\eg\IEExamples\ie_animated.gif.exe |
| e863ca9013dc802de87d9d0bcf365fd0 | c:\Perl\eg\IEExamples\psbwlogo.gif.exe |
| 2002077e64bda37bff57535d374bf405 | c:\Perl\eg\aspSamples\ASbanner.gif.exe |
| e7761c9754a7c6861426023e5417f18c | c:\Perl\eg\aspSamples\Main_Banner.gif.exe |
| 75a3daeb81c9d17bddf952c1d3be14a6 | c:\Perl\eg\aspSamples\psbwlogo.gif.exe |
| e44daf83ef4e0da641c12342c471294e | c:\Perl\html\images\AS_logo.gif.exe |
| f2ac2082ffece1d878a17f22becbe4d4 | c:\Perl\html\images\PerlCritic_run.png.exe |
| b45aad3475a362415729d793c722f987 | c:\Perl\html\images\aslogo.gif.exe |
| 7a3d8ed256fa747d5cfe55d2830d0c37 | c:\Perl\html\images\ppm_gui.png.exe |
| bdb63b6a4d521e0c94a49cb646e2c31b | c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe |
| 72725a7052c6e82b4d9ceb17187ffabb | c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe |
| 126ba5d097f2ab120a8f8f89b998c5d9 | c:\Perl\lib\Devel\NYTProf\js\asc.png.exe |
| c88325539c11651e45a9744c4d418bb7 | c:\Perl\lib\Devel\NYTProf\js\bg.png.exe |
| 1a59b50d7bfe03cd6da3bf085522867d | c:\Perl\lib\Devel\NYTProf\js\desc.png.exe |
| 6f2bf1dfbef7e17b4ecc48b2eff945e8 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe |
| 3f29d2997f9fb6a26291624668543e4d | c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe |
| 1e5aff2d2a90c4ff079e35f8e15a2b3c | c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe |
| f2c5ac82f98db53c20ce4ebe505c0f49 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe |
| 25fbd17f9fcc64b28839285662bdb7e1 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe |
| 0e4ada8cca6795ab7a5810f963dd8c67 | c:\Perl\lib\Mozilla\CA\cacert.pem.exe |
| ab4a584d84399d65b6e71a2b5157d6d0 | c:\totalcmd\TCMADMIN.EXE.exe |
| cd8c7be27e726d3df2cc16098bab64c4 | c:\totalcmd\TCMDX32.EXE.exe |
| 879583eb42826bc7f726e06fd6373401 | c:\totalcmd\TCUNINST.EXE.exe |
| 60340895d6c99844ac9aba12f43139f9 | c:\totalcmd\TOTALCMD.EXE.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
cscript.exe:216
cscript.exe:1408
cscript.exe:1144
cscript.exe:908
cscript.exe:1796
cscript.exe:444
cscript.exe:1372
cscript.exe:936
cscript.exe:644
cscript.exe:1760
cscript.exe:248
%original file name%.exe:740
%original file name%.exe:1136
%original file name%.exe:620
%original file name%.exe:1772
%original file name%.exe:1628
%original file name%.exe:564
%original file name%.exe:1796
%original file name%.exe:1548
%original file name%.exe:608
%original file name%.exe:368
%original file name%.exe:228
%original file name%.exe:1740
%original file name%.exe:816 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\KIAAoAQA.bat (4 bytes)
C:\2a10c7359a40e0cef84801d417140453 (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OwQkIUkU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bcEEYwcs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QQIQIUIU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hywgksUQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LEQssEkM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qKwsgskQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XeMUowYs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SEIEYIUI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TyMAgwIY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nwYUoMwA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YagwEoQE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ycQsoYoI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\noYYYUQs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HewcUUsM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jKAAAwcs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uygwsEYs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tCYAkwYw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KgcUEAIw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DoEwAoYY.bat (112 bytes)
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7833 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OKMAQUwQ.bat (112 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\duksgkUg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UEAMogMg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OQYgooUI.bat (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe," - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 1122304 | 1119744 | 5.47553 | 28ba66a1276326f2d6ccbfff93e074cc |
| .rdata | 1126400 | 4096 | 512 | 2.30377 | 73d0ca39d8088a3da54ad6e17ab21643 |
| .data | 1130496 | 5 | 512 | 0.067931 | b476f33081382201f38df08359f0d634 |
| .rsrc | 1134592 | 1372 | 1536 | 2.36363 | eaa4f9ddd93235c7fe1f3852be0e3515 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):