Flattr this analysis!

Tags: None

Analysis

Category Started Completed Duration
FILE 2013-07-27 06:12:33 2013-07-27 06:14:49 136 seconds

File Details

File Name Server.exe
File Size 192512 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 aa8f25e6fcd250fa5a76b6be83155773
SHA1 9f29cb0c48230a4fa83c2dd5b7d118d7f196d043
SHA256 b4f4639e044c97487f2d328f76a4959f0651dc7881df4b9462f37cf394b992a6
SHA512 f72a48cf5335ae88d4d5041393b5beae2bf8a960a976de367277f6e342ad6278fb4ff948cca8cccea85abde426ccdfb964cdf5545fd58b90d302f8f75e2bab5a
CRC32 8DC6392D
Ssdeep 1536:ABjrVdfxIBvIK2iAPztfov2SatnqSi9bFiRl94WFLQ/M2Y0foh5Bz1GZsu/z7JyK:AniI2iEAnqiTGw4M2LQGBrtx/7
Yara None matched
You need to login

Signatures

File has been identified by at least one AntiVirus on VirusTotal as malicious
Installs itself for autorun at Windows startup

Screenshots


Hosts

IP

Domains

Domain IP
bbroman.myvnc.com

Summary

C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\Registration\R000000000007.clb
C:\
Device\KsecDD
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.done
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.bak
C:\WINDOWS\system32\rsaenh.dll
A:
B:
E:
F:
G:
H:
I:
J:
K:
L:
M:
N:
O:
P:
Q:
R:
S:
T:
U:
V:
W:
X:
Y:
Z:
C:\WINDOWS\system32\wmp.dll
C:\WINDOWS\system32\stdole2.tlb
PIPE\lsarpc
WMPImage_AdBanner
IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
MountPointManager
STORAGE#Volume#1&30a96598&0&Signature32B832B7Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
C:\Documents and Settings
C:\Documents and Settings\User
C:\Documents and Settings\User\Application Data
C:\Documents and Settings\User\Application Data\desktop.ini
C:\Documents and Settings\User\Application Data\Microsoft\Windows\((Mutex)).cfg
C:\WINDOWS\InstallDir\Server.exe
C:\DOCUME~1\User\LOCALS~1\Temp\x.html
C:\Documents and Settings\User\Application Data\Microsoft\Windows\((Mutex)).xtr
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}
CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\TreatAs
\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}
\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\InprocServer32
\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\InprocServerX86
\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\LocalServer32
\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\InprocHandler32
\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\InprocHandlerX86
\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}
HKEY_CLASSES_ROOT\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\TreatAs
HKEY_LOCAL_MACHINE\Software\Microsoft\MediaPlayer\Debug
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{ABEF6B34-5E46-4E8E-9F69-69B8F762DE36}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\NodeCLSIDs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\NodeCLSIDs\{13A7995E-7D8F-45B4-9C77-819265225763}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\NodeCLSIDs\{95037DA1-6ED9-4B27-8CFF-9AD3DFB0B2F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\NodeCLSIDs\{974BF3BF-C9AE-4476-8003-5FE544DF458C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\NodeCLSIDs\{B2DBA270-9F49-4513-AC13-76496D6EBA3A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\NodeCLSIDs\{D01BC8E2-70AD-4976-9612-21B37ED5C8E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\NodeCLSIDs\{D7E9C0B4-0E4D-46B4-BC46-1D0222F92C6F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\NodeCLSIDs\{E5A8C40E-654B-44D4-ACBB-DBE6D3B3333B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\NodeCLSIDs\{FB02E8EF-ACFE-4CC0-96DF-8B5C7098272C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Plugins
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Plugins\{47DEA830-D619-4154-B8D8-6B74845D6A2D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Plugins\{48501FF0-F6A9-11D2-9435-00A0C92A2F2D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Plugins\{4B657E70-08EF-11D3-9447-00A0C92A2F2D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Plugins\{61180810-EF20-11D2-9431-00A0C92A2F2D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Plugins\{93EB32F5-87B1-45AD-ACC6-0F2483DB83BB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Plugins\{AE7BFAFE-DCC8-4A73-92C8-CC300CA88859}
HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\
HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\
HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\MMS
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\
CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\TreatAs
\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InprocServer32
\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InprocServerX86
\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\LocalServer32
\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InprocHandler32
\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InprocHandlerX86
\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
HKEY_CLASSES_ROOT\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
CLSID\{CD12A3CE-9C42-11D2-BEED-0060082F2054}
CLSID\{CD12A3CE-9C42-11D2-BEED-0060082F2054}\TreatAs
\CLSID\{CD12A3CE-9C42-11D2-BEED-0060082F2054}
\CLSID\{CD12A3CE-9C42-11D2-BEED-0060082F2054}\InprocServer32
\CLSID\{CD12A3CE-9C42-11D2-BEED-0060082F2054}\InprocServerX86
\CLSID\{CD12A3CE-9C42-11D2-BEED-0060082F2054}\LocalServer32
\CLSID\{CD12A3CE-9C42-11D2-BEED-0060082F2054}\InprocHandler32
\CLSID\{CD12A3CE-9C42-11D2-BEED-0060082F2054}\InprocHandlerX86
\CLSID\{CD12A3CE-9C42-11D2-BEED-0060082F2054}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{CD12A3CE-9C42-11D2-BEED-0060082F2054}
HKEY_CLASSES_ROOT\CLSID\{CD12A3CE-9C42-11D2-BEED-0060082F2054}\TreatAs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Media\Platform\Threads
CLSID\{203B1EED-DB9F-40FB-87BD-1990982017D2}
CLSID\{203B1EED-DB9F-40FB-87BD-1990982017D2}\TreatAs
\CLSID\{203B1EED-DB9F-40FB-87BD-1990982017D2}
\CLSID\{203B1EED-DB9F-40FB-87BD-1990982017D2}\InprocServer32
\CLSID\{203B1EED-DB9F-40FB-87BD-1990982017D2}\InprocServerX86
\CLSID\{203B1EED-DB9F-40FB-87BD-1990982017D2}\LocalServer32
\CLSID\{203B1EED-DB9F-40FB-87BD-1990982017D2}\InprocHandler32
\CLSID\{203B1EED-DB9F-40FB-87BD-1990982017D2}\InprocHandlerX86
\CLSID\{203B1EED-DB9F-40FB-87BD-1990982017D2}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{203B1EED-DB9F-40FB-87BD-1990982017D2}
HKEY_CLASSES_ROOT\CLSID\{203B1EED-DB9F-40FB-87BD-1990982017D2}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Media\MediaFoundation
CLSID\{DCF6C8B2-F6C0-461B-82DA-35945EADF54A}
CLSID\{DCF6C8B2-F6C0-461B-82DA-35945EADF54A}\TreatAs
\CLSID\{DCF6C8B2-F6C0-461B-82DA-35945EADF54A}
\CLSID\{DCF6C8B2-F6C0-461B-82DA-35945EADF54A}\InprocServer32
\CLSID\{DCF6C8B2-F6C0-461B-82DA-35945EADF54A}\InprocServerX86
\CLSID\{DCF6C8B2-F6C0-461B-82DA-35945EADF54A}\LocalServer32
\CLSID\{DCF6C8B2-F6C0-461B-82DA-35945EADF54A}\InprocHandler32
\CLSID\{DCF6C8B2-F6C0-461B-82DA-35945EADF54A}\InprocHandlerX86
\CLSID\{DCF6C8B2-F6C0-461B-82DA-35945EADF54A}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{DCF6C8B2-F6C0-461B-82DA-35945EADF54A}
HKEY_CLASSES_ROOT\CLSID\{DCF6C8B2-F6C0-461B-82DA-35945EADF54A}\TreatAs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Media\WMSDK
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS
HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\HTTP
CLSID\{566A2EFF-5651-4020-AC1A-EB48E4571EA3}
CLSID\{566A2EFF-5651-4020-AC1A-EB48E4571EA3}\TreatAs
\CLSID\{566A2EFF-5651-4020-AC1A-EB48E4571EA3}
\CLSID\{566A2EFF-5651-4020-AC1A-EB48E4571EA3}\InprocServer32
\CLSID\{566A2EFF-5651-4020-AC1A-EB48E4571EA3}\InprocServerX86
\CLSID\{566A2EFF-5651-4020-AC1A-EB48E4571EA3}\LocalServer32
\CLSID\{566A2EFF-5651-4020-AC1A-EB48E4571EA3}\InprocHandler32
\CLSID\{566A2EFF-5651-4020-AC1A-EB48E4571EA3}\InprocHandlerX86
\CLSID\{566A2EFF-5651-4020-AC1A-EB48E4571EA3}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{566A2EFF-5651-4020-AC1A-EB48E4571EA3}
HKEY_CLASSES_ROOT\CLSID\{566A2EFF-5651-4020-AC1A-EB48E4571EA3}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP
HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\RTSP
CLSID\{AD763FA6-3B90-41AB-BD44-4F832BEEE55F}
CLSID\{AD763FA6-3B90-41AB-BD44-4F832BEEE55F}\TreatAs
\CLSID\{AD763FA6-3B90-41AB-BD44-4F832BEEE55F}
\CLSID\{AD763FA6-3B90-41AB-BD44-4F832BEEE55F}\InprocServer32
\CLSID\{AD763FA6-3B90-41AB-BD44-4F832BEEE55F}\InprocServerX86
\CLSID\{AD763FA6-3B90-41AB-BD44-4F832BEEE55F}\LocalServer32
\CLSID\{AD763FA6-3B90-41AB-BD44-4F832BEEE55F}\InprocHandler32
\CLSID\{AD763FA6-3B90-41AB-BD44-4F832BEEE55F}\InprocHandlerX86
\CLSID\{AD763FA6-3B90-41AB-BD44-4F832BEEE55F}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{AD763FA6-3B90-41AB-BD44-4F832BEEE55F}
HKEY_CLASSES_ROOT\CLSID\{AD763FA6-3B90-41AB-BD44-4F832BEEE55F}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles
SOFTWARE\Microsoft\Cryptography\Providers\Type 001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Offload
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP
HKEY_CLASSES_ROOT\TypeLib
HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}
HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}\1.0
HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}\1.0\409
HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}\1.0\9
HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKEY_CLASSES_ROOT\JScript\CLSID
CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}
CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\TreatAs
\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}
\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\InprocServer32
\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\InprocServerX86
\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\LocalServer32
\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\InprocHandler32
\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\InprocHandlerX86
\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}
HKEY_CLASSES_ROOT\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying\
HKEY_CLASSES_ROOT\AppID\Server.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}\1.0\0\win32\409
HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}\1.0\0\win32\9
HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}\1.0\0\win32\0
HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}\1.0\0\win32\0\win32
HKEY_CURRENT_USER\SOFTWARE\XtremeRAT
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\Server.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CLASSES_ROOT\Directory
HKEY_CLASSES_ROOT\Directory\CurVer
HKEY_CLASSES_ROOT\Directory\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CLASSES_ROOT\Directory\\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Directory\\Clsid
HKEY_CLASSES_ROOT\Folder
HKEY_CLASSES_ROOT\Folder\Clsid
HKEY_CURRENT_USER\SOFTWARE\((Mutex))
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.HTM
HKEY_CLASSES_ROOT\.HTM
HKEY_CLASSES_ROOT\htmlfile
HKEY_CLASSES_ROOT\htmlfile\CurVer
HKEY_CLASSES_ROOT\htmlfile\
HKEY_CLASSES_ROOT\htmlfile\\shell
HKEY_CLASSES_ROOT\htmlfile\\shell\opennew
HKEY_CLASSES_ROOT\htmlfile\\shell\opennew\command
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
ShimCacheMutex
MutexToProtectNamespace
XTREMEUPDATE
((Mutex))
((Mutex))PERSIST

Version Infos

ProductVersion 6.00
InternalName bashar2
FileVersion 6.00
OriginalFilename bashar2.exe
ProductName xcvxcvx

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x1000 0x2cdf8 0x2d000 3.81658605311
.data 0x2e000 0x119c 0x0 0.0
.rsrc 0x30000 0x898 0x1000 1.85056564636

Imports

Library MSVBVM60.DLL:
0x401000 MethCallEngine
0x401004 None
0x401008 None
0x40100c None
0x401010 None
0x401014 EVENT_SINK_AddRef
0x401018 DllFunctionCall
0x40101c EVENT_SINK_Release
0x401020 None
0x401028 __vbaExceptHandler
0x40102c None
0x401030 None
0x401034 None

!This program cannot be run in DOS mode.
`.data
MSVBVM60.DLL
bashar
bashar
Timer4
Timer3
Timer2
Timer1
WindowsMediaPlayer1
WMPLibCtl.WindowsMediaPlayer
bashar2
xcvxcvx
bashar
bashar
wmp.dll
WMPLibCtl.WindowsMediaPlayer
WindowsMediaPlayer
bashar
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
WindowsMediaPlayer1
C:\Windows\system32\wmp.oca
WMPLibCtl
Timer1
Timer2
Timer3
Timer4
ODBC32.DLL
SQLDataSources
SQLAllocEnv
USER32
CallWindowProcW
SJMHUVTUH
XDXUQFZCBVJFSBLPXMXIDCBACDBEQ
HNBMIJWLHTKACASFCBYTMEM
RSKSIOQOYQCLSHCXDMPT
hgjhkyufgfhsbvcbxvcb
VBA6.DLL
WindowsMediaPlayer1
WMPLibCtl.WindowsMediaPlayer
bashar
MGZYZZS
ABVYFBTNULDUBOTH
KFEFFGOPLIUERV
QAKLVKXFSPVDIQAISVAONGG
FUGLBMZUOXMVQCYRLZHTT
PZPRBQ
NMQDMSZNAAOKODLTAMR
MSVBVM60.DLL
MethCallEngine
EVENT_SINK_AddRef
DllFunctionCall
EVENT_SINK_Release
EVENT_SINK_QueryInterface
__vbaExceptHandler
Antivirus Signature
MicroWorld-eScan Clean
nProtect Clean
CAT-QuickHeal (Suspicious) - DNAScan
McAfee Clean
Malwarebytes Clean
K7AntiVirus Clean
K7GW Clean
TheHacker Clean
NANO-Antivirus Clean
F-Prot Clean
Symantec Clean
Norman Clean
TotalDefense Clean
TrendMicro-HouseCall Clean
Avast Win32:Malware-gen
ClamAV Clean
Kaspersky Clean
BitDefender Clean
Agnitum Clean
SUPERAntiSpyware Clean
Emsisoft Clean
Comodo TrojWare.Win32.Injector.ADSA
F-Secure Clean
DrWeb Trojan.VbCrypt.8
VIPRE Clean
AntiVir TR/Injector.192512.171
TrendMicro Clean
McAfee-GW-Edition Clean
Sophos Clean
Jiangmin Clean
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
ViRobot Clean
AhnLab-V3 Clean
GData Clean
Commtouch Clean
ByteHero Clean
VBA32 Clean
PCTools Clean
ESET-NOD32 a variant of Win32/Injector.ADSA
Rising Clean
Ikarus Backdoor.Win32.Xtreme
Fortinet W32/Injector.ADSA!tr
AVG VB.4.DE
Panda Suspicious file

  • Server.exe 1088
    • Server.exe 112
      • Server.exe 1832
Server.exe, PID: 1088, Parent PID: 1824

network filesystem registry process services synchronization

Server.exe, PID: 112, Parent PID: 1088

network filesystem registry process services synchronization

Server.exe, PID: 1832, Parent PID: 112

network filesystem registry process services synchronization

Domains

Domain IP
bbroman.myvnc.com

Hosts

IP

HTTP Requests

No HTTP requests performed.

IRC Traffic

No IRC traffic.

SMTP Requests

No SMTP requests performed.

File name ((Mutex)).cfg
File Size 2032 bytes
File Type data
MD5 68fd1c2e8ce69335311c5e51ac59a40c
SHA1 0a6933754526e1ded00b2b6450f1ebe2ce8e5cef
SHA256 4d844ad3c4c05c52a33ec81c7a3dee6ac17562cb5828b2717b8d80a88076fd0c
CRC32 738A54A4
Ssdeep 48:CmfDglsbt/4yomHQTQgCwHZfv5bfClP4oP8bWSdL21sCTUzgQ:Jkybx4yoeQUrev5bfqPfP2ZqlTUN
Yara None matched
File name WMSDKNS.XML.done
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
Yara None matched
File name WMSDKNS.XML.bak
File Size 12787 bytes
File Type exported SGML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5 9020cf6eee6267257fce8145a8dd10de
SHA1 9fd99feb4ddb819568eb82940ff4020c00b17ccb
SHA256 f12accefd2303a274b879806a902e51cc7f93f054b6395da1ec46e5229bae009
CRC32 B54A13D0
Ssdeep 96:/YkZRAF6zyHUhm77yB1pZYCEnfHrHH7B6xTGHrYCQnNb2eV3zwFRhRzOtozx0YaM:/2FV0bBPCfYNQQdY
Yara None matched
File name WMSDKNSD.XML
File Size 53 bytes
File Type ASCII text, with CRLF line terminators
MD5 a9b5da9aec61657b32393d96217165f0
SHA1 80b5c577155acd269b450d70f6b2cbed693edf49
SHA256 9f4611369cf65b33d886489b2486fca7b1e83e0dc998d35b15b3aa4c8478a28d
CRC32 AC5F0423
Ssdeep 3:sLRaE92JWyhHX9ovy4dduRun:sLzTyRXKvndI0
Yara None matched
Bummer! No comments yet.

You have to login to comment.