» kb25128485.exe
Overview
Analysis
File Details
Behaviors (3)
Network (66)

kb25128485.exe

DlgPreprint 应用程序

It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Host-process Windows (Rundll32.exe)’.

File name:

kb25128485.exe

Product:

DlgPreprint 应用程序

Description:

DlgPreprint Microsoft 基础类应用程序

Version:

1, 0, 0, 1

MD5:

0c0d798add0c4e450a1c8bf3824ea989

SHA-1:

09956bb34db50abebc93cdaf4ba041f01d5cbc95

SHA-256:

b35d94236c37a2823794c9a67a400b88f02eab1ff55aa6cea41dca4d92cbc3dd

Scanner detections:

4 / 68

Status:

Inconclusive (not enough data for an accurate detection)

Analysis date:

4/19/2024 9:04:04 PM UTC (today)

Scan engine

Detection

Engine version

Baidu Antivirus

Win32.Trojan.WisdomEyes.16070401.9500

4.0.3.161115

Qihoo 360 Security

HEUR/QVM07.1.0000.Malware.Gen

1.0.0.1120

Rising Antivirus

Malware.Obscure/Heur!1.9E03 (classic)

23.00.65.161113

VIPRE Antivirus

Trojan.Win32.Injector.cdgy

53788

File size:

162.3 KB (166,242 bytes)

Product version:

1, 0, 0, 1

Original file name:

DlgPreprint.EXE

File type:

Executable application (Win32 EXE)

Language:

Chinese (Simplified, PRC)

Common path:

C:\users\{user}\appdata\local\temp\kb25128485.exe

File PE Metadata

Compilation timestamp:

11/11/2016 8:23:11 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

3072:Wp/bWyaFhQOCIyrYnXY6NavVtDKo91AGq2e:CWyRjoNa78Go

Entry address:

0x9122

Entry point:

55, 8B, EC, 6A, FF, 68, F0, CA, 30, 00, 68, D2, 92, 30, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 18, 0C, 31, 00, 59, 83, 0D, 58, FA, 30, 00, FF, 83, 0D, 68, FA, 30, 00, FF, FF, 15, 1C, 0C, 31, 00, 8B, 0D, 44, FA, 30, 00, 89, 08, FF, 15, 58, 0C, 31, 00, 8B, 0D, 40, FA, 30, 00, 89, 08, A1, 54, 0C, 31, 00, 8B, 00, A3, 4C, FA, 30, 00, E8, 2E, 01, 00, 00, 39, 1D, 00, F8, 30, 00, 75, 0C, 68, BC, 92, 30, 00, FF, 15, 50, 0C... 
[+]

Entropy:

6.4678

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

44 KB (45,056 bytes)

Approved Shell Extension

Name:

Autoplay for SlideShow

CLSID:

{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}

CLSID name:

Shell Autoplay for Slideshow

2 Startup Files (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Host-process Windows (Rundll32.exe)

Command:

C:\users\{user}\appdata\roaming\rundll32.exe

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Client Server Runtime Process

Command:

C:\Documents and Settings\{user}\Application data\csrss.exe

The executing file has been seen to make the following network communications in live environments.

TCP:

Connects to ns3022934.ip-91-121-72.eu (91.121.72.83:9631)

TCP:

Connects to loft10579.serverprofi24.com (85.25.218.71:9027)

TCP (SMTP):

Connects to vcs-star-s-myc.mail.vip.sg3.yahoo.com (106.10.150.156:25)

TCP:

Connects to ns368209.ip-94-23-31.eu (94.23.31.152:9631)

TCP:

Connects to loft11030.dedicatedpanel.com (188.138.57.44:9997)

TCP:

Connects to loft12100.dedicatedpanel.com (85.93.93.92:9997)

TCP:

Connects to a2.89.b6.static.xlhost.com (207.182.137.162:9997)

TCP (SMTP):

Connects to vcs-ssmyc.mail.vip.bf1.yahoo.com (98.139.221.253:25)

TCP:

Connects to ns391674.ip-176-31-104.eu (176.31.104.175:9997)

TCP (SMTP):

Connects to vcs-ssmyc.mail.vip.ne1.yahoo.com (98.138.105.22:25)

TCP:

Connects to titan623.startdedicated.de (85.25.116.167:9631)

TCP:

Connects to loft11230.dedicatedpanel.com (188.138.102.50:9631)

TCP:

Connects to h136-112.fcsrv.net (194.28.112.136:9997)

TCP:

Connects to abts-tn-static-221.32.165.122.airtelbroadband.in (122.165.32.221:9997)

TCP:

Connects to windows.myint85.net (185.48.56.84:9997)

TCP:

Connects to ns535327.ip-158-69-246.net (158.69.246.68:9631)

TCP:

Connects to ip144c53.banglalionwimax.com (58.97.144.53:9997)

TCP:

Connects to db6.ms-db-set2.pricefx.net (188.138.102.31:9997)

TCP:

Connects to 115.112.99.221.static-delhi.vsnl.net.in (115.112.99.221:9997)

TCP:

Connects to static-175.169.99.14-tataidc.co.in (14.99.169.175:9997)

Scan kb25128485.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.