Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 1313176 KB
File Type : Portable Executable 32
File Name

document 72662 pdf.exe

MD5

b69e2d2f71e663e088e2c1d7750688d1

SHA1

c7d8a7b45ad644ea757e6456f82b4a55213f1d1f

SHA256

1d4f3b09c75360ddb06e88bc21acf62fb106a838da29205c90

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\30 May 2016\Trojan.Genric\Sample\b69e2d2f71e663e088e2c1d7750688d1.exe

Changes to registry :

* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\tmp7CC1_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\tmp7CC1_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\tmp7CC1_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\tmp7CC1_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\tmp7CC1_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\tmp7CC1_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\tmp7CC1_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\tmp7CC1_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Creates value "poiut55ghyhj=C:\Users\cognus\AppData\Roaming\mxhgsiiw\dhudujd.exe" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C006D0078006800670073006900690077005C00640068007500640075006A0064002E006500780065000000
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "b69e2d2f71e663e088e2c1d7750688d1.exe=The Witcher 3" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\cognus\Desktop\Analyzed Viruses\30 May 2016\Trojan.Genric\Sample
binary data=54006800650020005700690074006300680065007200200033000000
* Creates value "b69e2d2f71e663e088e2c1d7750688d1.exe=The Witcher 3" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\cognus\DefaultBox\user\current\Desktop\Analyzed Viruses\30 May 2016\Trojan.Genric\Sample
binary data=54006800650020005700690074006300680065007200200033000000
* Creates value "Koikey.exe=The Witcher 3" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\cognus\DefaultBox\user\all\mnvyjyR
binary data=54006800650020005700690074006300680065007200200033000000

Changes to filesystem:

* Modifies file C:\Windows\system32\CatRoot2\edb.chk
* Creates file C:\ProgramData\mnvyjyR\Koikey.exe
* Creates file C:\ProgramData\RDnpATck\a6d104d7be9b448e885bb53ca2a2a876
* Creates file C:\ProgramData\RDnpATck\a74ce7c21df44fec8cdbea06a21eafc0
* Creates file (empty) C:\Users\cognus\AppData\Local\Temp\tmp7CC1.tmp
* Creates file C:\Users\cognus\AppData\Local\Temp\tmp7CC1.tmp.exe
* Creates file C:\Users\cognus\AppData\Local\Temp\tmp83DE.tmp
* Creates file C:\Users\cognus\AppData\Local\Temp\tmp8D8A.tmp
* Creates file (hidden) C:\Users\cognus\AppData\Roaming\mxhgsiiw\dhudujd.exe
* Changes file attributes C:\Users\cognus\Desktop\Analyzed Viruses\30 May 2016\Trojan.Genric\Sample\b69e2d2f71e663e088e2c1d7750688d1.exe

Network services:

* Queries DNS "wpad.localdomain".
* Queries DNS "dns.msftncsi.com".
* Queries DNS "icanhazip.com".
* Queries DNS "ipinfo.io".
* Queries DNS "curlmyip.com".
* Queries DNS "bot.whatismyipaddress.com".
* C:\Users\cognus\Desktop\Analyzed Viruses\30 May 2016\Trojan.Genric\Sample\b69e2d2f71e663e088e2c1d7750688d1.exe Connects to "64.182.208.182" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\30 May 2016\Trojan.Genric\Sample\b69e2d2f71e663e088e2c1d7750688d1.exe Connects to "52.29.242.5" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\30 May 2016\Trojan.Genric\Sample\b69e2d2f71e663e088e2c1d7750688d1.exe Connects to "184.106.112.172" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\30 May 2016\Trojan.Genric\Sample\b69e2d2f71e663e088e2c1d7750688d1.exe Connects to "66.171.248.178" on port 80 (TCP - HTTP).
* Downloads file from "cmdcmdcmd.php0h.com/3.jpg".
* Downloads file from "cmdcmdcmd.php0h.com/4.jpg".
* Downloads file from "cmdcmdcmd.php0h.com/1.jpg".
* Downloads file from "cmdcmdcmd.php0h.com/2.jpg".
* Downloads file from "cmdcmdcmd.php0h.com/5.jpg".
* Downloads file from "ewqscxz.fateback.com/3.jpg".
* Downloads file from "ewqscxz.fateback.com/4.jpg".
* Downloads file from "ewqscxz.fateback.com/1.jpg".
* Downloads file from "ewqscxz.fateback.com/2.jpg".
* Downloads file from "ewqscxz.fateback.com/5.jpg".
* Downloads file from "www11.asphost4free.com/ewqscxz/3.jpg".
* Downloads file from "www11.asphost4free.com/ewqscxz/4.jpg".
* Downloads file from "reseller.ijabry.com/".
* Downloads file from "www11.asphost4free.com/ewqscxz/1.jpg".
* Downloads file from "www11.asphost4free.com/ewqscxz/2.jpg".
* Downloads file from "www11.asphost4free.com/ewqscxz/5.jpg".
* Downloads file from "icanhazip.com/".
* Downloads file from "ipinfo.io/ip".
* Downloads file from "curlmyip.com/".
* Downloads file from "bot.whatismyipaddress.com/".

Process/window/string information:

* Gets input locale identifiers.
* Gets computer name.
* Checks for debuggers.
* Removes Zone.Identifier information.
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1672".
* Injects code into process "C:\Program Files\Sandboxie\SandboxieCrypto.exe".
* Creates a mutex "83bnbbiIaop4Noo".
* Enables privilege SeDebugPrivilege.
* Enumerates running processes.
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1896".
* Creates process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe", null".
* Injects code into process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2900".
* Creates a mutex "Global\.net clr networking".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2668".
* Creates a mutex "lgwrSPyTD".
* Creates process "C:\ProgramData\mnvyjyR\Koikey.exe, "C:\ProgramData\mnvyjyR\Koikey.exe" , C:\Users\cognus\AppData\Local\Temp".
* Injects code into process "C:\Sandbox\cognus\DefaultBox\user\all\mnvyjyR\Koikey.exe".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_964".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2644".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3128".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2516".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1872".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3396".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1368".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3508".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3424".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3788".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1532".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_608".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1428".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3044".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3444".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1364".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2792".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1288".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3496".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1340".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1832".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3472".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_712".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3604".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2952".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2988".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2016".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3380".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3328".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_240".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3464".
* Enables process privileges.
* Contains string Checked for AVG security software presence ("AVGW")
* Contains string Checked for F-Secure security software presence ("FSAA")
* Sleeps 17895 seconds.

Additional Information:

How To Remove document 72662 pdf.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where document 72662 pdf.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top