home

kb32762906.exe

FileSpy Application

It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Client Server Runtime Process’.
Product:
FileSpy Application

Description:
FileSpy MFC Application

Version:
1, 0, 0, 1

MD5:
17fb3adf41fb87246d295bb0f03caddc

SHA-1:
ebe495612a632c1cd756026d074b3acc71b8ddfc

SHA-256:
c5f925fc4e9adc94522f556d7991aa5b2848ba28143d059bf657a098426aa1f2

Scanner detections:
4 / 68

Status:
Inconclusive  (not enough data for an accurate detection)

Analysis date:
4/19/2024 8:46:10 AM UTC  (today)

Scan engine
Detection
Engine version

Qihoo 360 Security
HEUR/QVM07.1.0000.Malware.Gen
1.0.0.1120

Trend Micro House Call
TROJ_TOBFY.SM1
7.2.20

Trend Micro
TROJ_TOBFY.SM1
10.465.20

VIPRE Antivirus
Trojan.Win32.Injector.cdgy
55370

File size:
114.3 KB (117,090 bytes)

Product version:
1, 0, 0, 1

Copyright:
Copyright (C) 2003

Original file name:
FileSpy.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Documents and Settings\{user}\Local settings\temp\kb32762906.exe

File PE Metadata
Compilation timestamp:
1/12/2017 10:39:22 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x2ADF

Entry point:
55, 8B, EC, 6A, FF, 68, 20, 3C, 20, 00, 68, 66, 2C, 20, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, D8, 33, 20, 00, 59, 83, 0D, E8, 5E, 20, 00, FF, 83, 0D, EC, 5E, 20, 00, FF, FF, 15, DC, 33, 20, 00, 8B, 0D, DC, 5E, 20, 00, 89, 08, FF, 15, E0, 33, 20, 00, 8B, 0D, D8, 5E, 20, 00, 89, 08, A1, E4, 33, 20, 00, 8B, 00, A3, E4, 5E, 20, 00, E8, 17, 01, 00, 00, 39, 1D, D0, 5D, 20, 00, 75, 0C, 68, 62, 2C, 20, 00, FF, 15, E8, 33...
 
[+]

Entropy:
6.9353

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
768 MB (805,314,560 bytes)

2 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Client Server Runtime Process

Command:
C:\Documents and Settings\{user}\Application data\csrss.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Host-process Windows (Rundll32.exe)

Command:
C:\windows\syswow64\csrss.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to WIN-8ICQMC1MQT9  (193.106.30.226:9997)

TCP (SMTP):
Connects to mx1.hotmail.com  (104.44.194.233:25)

TCP (SMTP):
Connects to col0-mc3-f.col0.hotmail.com  (65.55.37.104:25)

TCP:
Connects to mail.gadimalilk.com  (49.50.66.58:9631)

TCP:
Connects to 123.103.12.229-BJ-CNC  (123.103.12.229:9631)

TCP (SMTP):
Connects to vcs-star-s-myc.mail.vip.sg3.yahoo.com  (106.10.150.156:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.ir2.yahoo.com  (188.125.68.56:25)

TCP (SMTP):
Connects to wb-in-f109.1e100.net  (66.102.1.109:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.gq1.yahoo.com  (63.250.193.229:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.bf1.yahoo.com  (98.139.221.253:25)

TCP:
Connects to ns396520.ip-176-31-123.eu  (176.31.123.194:9997)

Scan kb32762906.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.