Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =d8ce0835898503c09648428d3c57ef0e

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
d8ce0835898503c09648428d3c57ef0e	3f15f673598831c412363e226c65cc6a44971af1	87083073d89f37f7ae7fc5d031617bd691604e9bb2fa69f3788dd9db130cb1d3	12288:Cutrzh9xOXkkKcmcMAzLrEKHYeBgWhaQKlmlO3CXG439HIN3:Cutr5OUk7MGLrB42gWs3kU3ls	471112

File Results

File Name
vk%2Dguests.in.exe

SNORT Results

Snort Class	Snort Alert	Count
N/A	No snort alerts generated	0

AV Results

AV Alert	AV Vendor

Folders (Added) - ICC Results

Path	Folder Name
c:/Documents and Settings/dmc73144/Local Settings/Temp	winsvchost

Files (Added) - ICC Results

Path	File Name
c:/Documents and Settings/dmc73144/Local Settings/Temp	WinSocks.sw
c:/Documents and Settings/dmc73144/Local Settings/Temp/winsvchost	svchost.exe
c:/Documents and Settings/dmc73144/Start Menu/Programs/Startup	Microsoft Update.exe
c:/WINDOWS/Prefetch	AUTOIT3.EXE-32361418.pf
c:/WINDOWS/Prefetch	FILE1.EXE-03B2F7D2.pf
c:/WINDOWS/Prefetch	FILE2.EXE-0FB11BD9.pf
c:/WINDOWS/Prefetch	FILE3.EXE-2A1A7267.pf
c:/WINDOWS/Prefetch	REGSHOT.EXE-010A5EE6.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf
c:/WINDOWS/Prefetch	START.EXE-31104AA4.pf
c:/WINDOWS/Prefetch	SVCHOST.EXE-004EF50F.pf
c:/WINDOWS/Prefetch	SVCHOST.EXE-3530F672.pf
c:/WINDOWS/Prefetch	TRANSCL.EXE-1B822206.pf
c:/WINDOWS/system32/drivers/etc	File1.exe
c:/WINDOWS/system32/drivers/etc	File2.exe
c:/WINDOWS/system32/drivers/etc	file3.exe
c:/WINDOWS/system32/drivers/etc	h?sts
c:/WINDOWS/system32/drivers/etc	start.exe
c:/WINDOWS/system32	TranscL.exe

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/WINDOWS/Prefetch	HSTART.EXE-221D72BF.pf
modified	c:/WINDOWS/system32/config	default.LOG
modified	c:/WINDOWS/system32/config	software.LOG
modified	c:/WINDOWS/system32/config	SYSTEM
modified	c:/WINDOWS/system32/config	system.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32/wbem/Logs	wbemess.log
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log
modified	c:/WINDOWS/system32/wbem/Repository/FS	INDEX.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING.VER
modified	c:/WINDOWS/system32/wbem/Repository/FS	MAPPING1.MAP
modified	c:/WINDOWS/system32/wbem/Repository/FS	OBJECTS.MAP

Registry Keys (Added) - ICC Results

Action	Path
added	HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/policies/Explorer
added	HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/policies/Explorer/run
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_TRANSCENDQUICKLOAD
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000/Control
added	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/GloballyOpenPorts
added	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/GloballyOpenPorts/List
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad/Security
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad/Enum
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_TRANSCENDQUICKLOAD
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000/Control
added	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/GloballyOpenPorts
added	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/GloballyOpenPorts/List
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad/Security
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad/Enum
added	HKU/.DEFAULT/Software/Microsoft/Visual Basic
added	HKU/.DEFAULT/Software/Microsoft/Visual Basic/6.0
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Visual Basic
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Visual Basic/6.0
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/WinRAR SFX
added	HKU/S-1-5-18/Software/Microsoft/Visual Basic
added	HKU/S-1-5-18/Software/Microsoft/Visual Basic/6.0

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data
added	HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/policies/Explorer/run	Update service	"C:/DOCUME~1/dmc73144/LOCALS~1/Temp/winsvchost/svchost.exe"
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000/Control	NewlyCreated	0x00000000
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000/Control	ActiveService	"TranscendQuickLoad"
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000	Service	"TranscendQuickLoad"
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000	Legacy	0x00000001
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000	ConfigFlags	0x00000000
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000	Class	"LegacyDriver"
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000	ClassGUID	"{8ECC055D-047F-11D1-A537-0000F8753ED1}"
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000	DeviceDesc	"Transcend Quick Load Service"
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_TRANSCENDQUICKLOAD	NextInstance	0x00000001
added	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/GloballyOpenPorts/List	8364	TCP
added	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/GloballyOpenPorts/List	8008	TCP
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad/Enum	0	"RootLEGACY_TRANSCENDQUICKLOAD0000"
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad/Enum	Count	0x00000001
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad/Enum	NextInstance	0x00000001
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad/Security	Security	01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad	Type	0x00000010
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad	Start	0x00000002
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad	ErrorControl	0x00000000
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad	ImagePath	"C:/WINDOWS/system32/TranscL.exe"
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad	DisplayName	"Transcend Quick Load Service"
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad	ObjectName	"LocalSystem"
added	HKLM/SYSTEM/ControlSet001/Services/TranscendQuickLoad	Description	"Transcend Quick Load"
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000/Control	NewlyCreated	0x00000000
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000/Control	ActiveService	"TranscendQuickLoad"
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000	Service	"TranscendQuickLoad"
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000	Legacy	0x00000001
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000	ConfigFlags	0x00000000
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000	Class	"LegacyDriver"
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000	ClassGUID	"{8ECC055D-047F-11D1-A537-0000F8753ED1}"
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_TRANSCENDQUICKLOAD/0000	DeviceDesc	"Transcend Quick Load Service"
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_TRANSCENDQUICKLOAD	NextInstance	0x00000001
added	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/GloballyOpenPorts/List	8364	TCP
added	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/GloballyOpenPorts/List	8008	TCP
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad/Enum	0	"RootLEGACY_TRANSCENDQUICKLOAD0000"
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad/Enum	Count	0x00000001
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad/Enum	NextInstance	0x00000001
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad/Security	Security	01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad	Type	0x00000010
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad	Start	0x00000002
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad	ErrorControl	0x00000000
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad	ImagePath	"C:/WINDOWS/system32/TranscL.exe"
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad	DisplayName	"Transcend Quick Load Service"
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad	ObjectName	"LocalSystem"
added	HKLM/SYSTEM/CurrentControlSet/Services/TranscendQuickLoad	Description	"Transcend Quick Load"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/ShellNoRoam/MUICache	C://WINDOWS//system32//drivers//etc//Start.exe	"Start"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/ShellNoRoam/MUICache	C://WINDOWS//system32//drivers//etc//file1.exe	"file1"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/ShellNoRoam/MUICache	C://WINDOWS//system32//drivers//etc//file2.exe	"file2"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/ShellNoRoam/MUICache	C://WINDOWS//system32//drivers//etc//file3.exe	"Crosby Mauritania TampaAudreyOttawaSunnyvale"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/ShellNoRoam/MUICache	C://DOCUME~1//dmc73144//LOCALS~1//Temp//winsvchost//svchost.exe	"Crosby Mauritania TampaAudreyOttawaSunnyvale"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/WinRAR SFX	C%%WINDOWS%system32%drivers%etc	"C:/WINDOWS/system32/drivers/etc"

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	24 0B 96 D7 B0 E6 EF 8C 0F 5E 61 B7 6C AF B4 DD E8 C7 0C 84 4C 5B 4E 8F 54 02 06	59 7C 9E B8 3C 71 B4 8B 6C 08 03 4F 67 B2 B8 7A F0 88 7C 66 F4 12 AA 42 A7 1B 8D
modified	HKLM/SYSTEM/ControlSet001/Control/ServiceCurrent		0x00000009	0x0000000A
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Epoch	Epoch	0x00000107	0x00000108
modified	HKLM/SYSTEM/CurrentControlSet/Control/ServiceCurrent		0x00000009	0x0000000A
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Epoch	Epoch	0x00000107	0x00000108
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/SessionInformation	ProgramCount	0x00000002	0x00000003

DNS Results

DNS	DNS Response
www.bytecode.biz	Standard query response, Server failure
vegaszoid.net	Standard query response, Server failure

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location