Submission Summary:

What's been foundSeverity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Creates a startup registry entry.
Contains characteristics of an identified security risk.


Technical Details:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.


Possible Security Risk

Security RiskDescription
Backdoor.ProRAT.K ProRAT.K is a remote administrative trojan. It allows an attacker to take full control of a compromised computer. It also logs all keystrokes to a text file which can be accessed by the attacker. It also hides itself from task manager and process monitors.
Trojan.Crypt.S Trojan.Crypt.S is a backdoor trojan which opens a random port and allows hackers to gain unauthorised access to the infected system. It also attempts to terminate antivirus, firewall and other security related processes.
Adware.Component.Unrelated These common components have files and keys that are in different threats but the threats are not related to one another in that the author of the signature is not the same. It is recommended that all these entries be removed.

Threat CategoryDescription
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system


Memory Modifications

Process NameProcess FilenameMain Module Size
services.exe%Windir%\services.exe2,068,480 bytes
fservice.exe%System%\fservice.exe2,068,480 bytes
[filename of the sample #1][file and pathname of the sample #1]16,384 bytes
incom.exe%System%\incom.exe2,068,480 bytes
sservice.exe%Windir%\system\sservice.exe2,068,480 bytes

Module NameModule FilenameAddress Space Details
reginv.dll%System%\reginv.dllProcess name: dllhost.exe
Process filename: %System%\dllhost.exe
Address space: 0x2530000 - 0x2538000
winkey.dll%System%\winkey.dllProcess name: services.exe
Process filename: %Windir%\services.exe
Address space: 0xA90000 - 0xA9B000
reginv.dll%System%\reginv.dllProcess name: services.exe
Process filename: %Windir%\services.exe
Address space: 0xAD0000 - 0xAD8000
reginv.dll%System%\reginv.dllProcess name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x3D0000 - 0x3D8000
winkey.dll%System%\winkey.dllProcess name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x1C80000 - 0x1C8B000
reginv.dll%System%\reginv.dllProcess name: VMwareUser.exe
Process filename: %ProgramFiles%\vmware\vmware tools\vmwareuser.exe
Address space: 0x9A0000 - 0x9A8000

Service NameDisplay NameNew StatusService Filename
ALGApplication Layer Gateway Service"Stopped"%System%\alg.exe
SharedAccessWindows Firewall/Internet Connection Sharing (ICS)"Stopped"%System%\svchost.exe -k netsvcs


Registry Modifications


Other details



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2018 ThreatExpert. All rights reserved.