ThreatExpert Report: Infostealer, Win32.Malware, Adware:Win32/Torangcomz, Backdoor.Gen3..

Submission Summary:

Submission details:

Submission received: 18 September 2012, 00:23:06
Processing time: 8 min 16 sec
Submitted sample:

File MD5: 0x6E05A7A47B7E1AA634697F5310004776
File SHA-1: 0x11FF879187C5F7713854C3D0A31411E08D32A718
Filesize: 182,140 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%ProgramFiles%\Keyword Find\uninstall.exe	104,856 bytes	MD5: 0xD650BF74C0316A1B7875D8D697BCCF94 SHA-1: 0x3FD2C6C5675BAAC0A8F5F03CB99DA8625F554AD4
2	[file and pathname of the sample #1]	182,140 bytes	MD5: 0x6E05A7A47B7E1AA634697F5310004776 SHA-1: 0x11FF879187C5F7713854C3D0A31411E08D32A718

Note:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%ProgramFiles%\Keyword Find

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	278,528 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\keywordfind
HKEY_CURRENT_USER\Software\Keyword Find

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\keywordfind]

DisplayName = "keywordfind"
DisplayIcon = "%ProgramFiles%\Keyword Find\uninstall.exe"
UninstallString = "%ProgramFiles%\Keyword Find\uninstall.exe"
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

keywordfindagent = "%ProgramFiles%\Keyword Find\keywordfindagent.exe"

[HKEY_CURRENT_USER\Software\Keyword Find]

PID = "kf006"
instdate = "201209180"

Other details

The following Host Names were requested from a host database:

192.5.5.241
torangcomz.com

The following HTTP URLs were started reading:

http://torangcomz.com/instinfo.php?insttype=keywordfind
http://torangcomz.com/app_install.php?mac=&ver=&pid=kf006&insttype=keywordfind
http://down.torangcomz.com/down/1.0.0.2/keywordfind.dll
http://down.torangcomz.com/down/1.0.0.2/keywordfindagent.exe
http://down.kwdfo.com/kfo1/setup.exe

Downloaded File Summary:

Download details:

Download retrieved: 18 September 2012 00:31:22
Processing time: 8 min 47 sec
Downloaded sample #1:

File MD5: 0x1DC7093D2FF175A6313EAB3D8CF79D42
File SHA-1: 0x6D0EBE8BD7EB1D258326953D8AEE3B5040986232
Filesize: 208,488 bytes
Alias:

Infostealer [Symantec]
Win32.Malware [Ikarus]

Downloaded sample #2:

File MD5: 0x6A063011CC1640F1FECEFB152EE03B8A
File SHA-1: 0x8719896845EDD0197E44967044CF06246E1C010D
Filesize: 145,000 bytes
Alias:

Infostealer [Symantec]
Adware:Win32/Torangcomz [Microsoft]
Backdoor.Gen3 [Ikarus]

Downloaded sample #3:

File MD5: 0xF8452A11CB8C65F54B3A6023D9689B39
File SHA-1: 0xBA3373C59DF34FB2D949B4F6C36E1EFA9E938D45
Filesize: 239,264 bytes
Alias & packer info:

TrojanDownloader:Win32/Fokeydowrd.A [Microsoft]
packed with: ASPack [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\si1.tmp %Temp%\si2.tmp %Temp%\si6.tmp %ProgramFiles%\Keyword Find\keywordfo.dll %ProgramFiles%\Keyword Find\keywordfo_uninstall.exe	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	[file and pathname of the sample #1]	208,488 bytes	MD5: 0x1DC7093D2FF175A6313EAB3D8CF79D42 SHA-1: 0x6D0EBE8BD7EB1D258326953D8AEE3B5040986232	Infostealer [Symantec] Win32.Malware [Ikarus]
3	[file and pathname of the sample #2]	145,000 bytes	MD5: 0x6A063011CC1640F1FECEFB152EE03B8A SHA-1: 0x8719896845EDD0197E44967044CF06246E1C010D	Infostealer [Symantec] Adware:Win32/Torangcomz [Microsoft] Backdoor.Gen3 [Ikarus]
4	[file and pathname of the sample #3]	239,264 bytes	MD5: 0xF8452A11CB8C65F54B3A6023D9689B39 SHA-1: 0xBA3373C59DF34FB2D949B4F6C36E1EFA9E938D45	TrojanDownloader:Win32/Fokeydowrd.A [Microsoft] packed with ASPack [Kaspersky Lab]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%ProgramFiles%\Keyword Find

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	163,840 bytes
[filename of the sample #3]	[file and pathname of the sample #3]	602,112 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xAA0000 - 0xAD7000
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB10000 - 0xB47000
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0xF80000 - 0xFB7000

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\keywordfind.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{61789788-BB9E-43A6-B590-B9A905C66288}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62283419-4E2B-435E-B408-483F55D0FEC5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62283419-4E2B-435E-B408-483F55D0FEC5}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62283419-4E2B-435E-B408-483F55D0FEC5}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62283419-4E2B-435E-B408-483F55D0FEC5}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62283419-4E2B-435E-B408-483F55D0FEC5}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62283419-4E2B-435E-B408-483F55D0FEC5}\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62283419-4E2B-435E-B408-483F55D0FEC5}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}\Implemented Categories\{00021494-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC16CF3A-D7E3-4563-A8F0-BE1999B0CCD0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC16CF3A-D7E3-4563-A8F0-BE1999B0CCD0}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC16CF3A-D7E3-4563-A8F0-BE1999B0CCD0}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC16CF3A-D7E3-4563-A8F0-BE1999B0CCD0}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DA3684C5-92F5-4C2F-82D7-4567009A6FCB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DA3684C5-92F5-4C2F-82D7-4567009A6FCB}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DA3684C5-92F5-4C2F-82D7-4567009A6FCB}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DA3684C5-92F5-4C2F-82D7-4567009A6FCB}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B45C1AF4-E92C-4219-9AB0-17F65331A057}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B45C1AF4-E92C-4219-9AB0-17F65331A057}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B45C1AF4-E92C-4219-9AB0-17F65331A057}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B45C1AF4-E92C-4219-9AB0-17F65331A057}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B45C1AF4-E92C-4219-9AB0-17F65331A057}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B45C1AF4-E92C-4219-9AB0-17F65331A057}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KeywordBand
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KeywordBand\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KeywordBand.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KeywordBand.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\keywordfind
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\keywordfind\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\keywordfind\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\keywordfind.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\keywordfind.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62283419-4E2B-435E-B408-483F55D0FEC5}
HKEY_CURRENT_USER\Software\Keyword Find

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\keywordfind.DLL]

AppID = "{61789788-BB9E-43A6-B590-B9A905C66288}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{61789788-BB9E-43A6-B590-B9A905C66288}]

(Default) = "keywordfind"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62283419-4E2B-435E-B408-483F55D0FEC5}\VersionIndependentProgID]

(Default) = "keywordfind"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62283419-4E2B-435E-B408-483F55D0FEC5}\Version]

(Default) = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62283419-4E2B-435E-B408-483F55D0FEC5}\TypeLib]

(Default) = "{B45C1AF4-E92C-4219-9AB0-17F65331A057}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62283419-4E2B-435E-B408-483F55D0FEC5}\ProgID]

(Default) = "keywordfind.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62283419-4E2B-435E-B408-483F55D0FEC5}\InprocServer32]

(Default) = "[file and pathname of the sample #1]"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62283419-4E2B-435E-B408-483F55D0FEC5}]

(Default) = "keywordfind Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}\VersionIndependentProgID]

(Default) = "KeywordBand"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}\Version]

(Default) = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}\TypeLib]

(Default) = "{B45C1AF4-E92C-4219-9AB0-17F65331A057}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}\ProgID]

(Default) = "KeywordBand.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}\InprocServer32]

(Default) = "[file and pathname of the sample #1]"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}]

(Default) = "KeywordBand Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC16CF3A-D7E3-4563-A8F0-BE1999B0CCD0}\TypeLib]

(Default) = "{B45C1AF4-E92C-4219-9AB0-17F65331A057}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC16CF3A-D7E3-4563-A8F0-BE1999B0CCD0}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC16CF3A-D7E3-4563-A8F0-BE1999B0CCD0}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC16CF3A-D7E3-4563-A8F0-BE1999B0CCD0}]

(Default) = "Ikeywordfind"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DA3684C5-92F5-4C2F-82D7-4567009A6FCB}\TypeLib]

(Default) = "{B45C1AF4-E92C-4219-9AB0-17F65331A057}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DA3684C5-92F5-4C2F-82D7-4567009A6FCB}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DA3684C5-92F5-4C2F-82D7-4567009A6FCB}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DA3684C5-92F5-4C2F-82D7-4567009A6FCB}]

(Default) = "IKeywordBand"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B45C1AF4-E92C-4219-9AB0-17F65331A057}\1.0\0\win32]

(Default) = "[file and pathname of the sample #1]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B45C1AF4-E92C-4219-9AB0-17F65331A057}\1.0\HELPDIR]

(Default) = "%Windir%\system32"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B45C1AF4-E92C-4219-9AB0-17F65331A057}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B45C1AF4-E92C-4219-9AB0-17F65331A057}\1.0]

(Default) = "keywordfindLib"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KeywordBand\CurVer]

(Default) = "KeywordBand.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KeywordBand]

(Default) = "KeywordBand Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KeywordBand.1\CLSID]

(Default) = "{8EDF6A9F-1FE7-4FE4-B3DC-003A7DC890FA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KeywordBand.1]

(Default) = "KeywordBand Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\keywordfind\CurVer]

(Default) = "keywordfind.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\keywordfind\CLSID]

(Default) = "{62283419-4E2B-435E-B408-483F55D0FEC5}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\keywordfind]

(Default) = "keywordfind Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\keywordfind.1\CLSID]

(Default) = "{62283419-4E2B-435E-B408-483F55D0FEC5}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\keywordfind.1]

(Default) = "keywordfind Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62283419-4E2B-435E-B408-483F55D0FEC5}]

(Default) = "keywordfind Search"
NoExplorer = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

KeywordSearchUpdater = "[file and pathname of the sample #2]"

so that [file and pathname of the sample #2] runs every time Windows starts

[HKEY_CURRENT_USER\Software\Keyword Find]

ExeLived = "20120918"
EngineLived = "2012091800"

Other details

Analysis of the file resources indicate the following possible country of origin:

Republic of Korea

To mark the presence in the system, the following Mutex object was created:

sample_3

The following Host Name was requested from a host database:

192.5.5.241

The data identified by the following URLs was then requested from the remote web server:

http://torangcomz.com/query_list.php?ver=1.0.0.2&instdate=19780101&seq=1&pid=none&mac=
http://down.kwdfo.com/kfo1/keywordfo.dll
http://down.kwdfo.com/kfo1/uninstall.exe

The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://torangcomz.com/request/checkpg.php?instdate=&pid=&mac=&Lived=&fileyn=0&clsidyn=1&blackyn=0&insttype=keywordfind	%Temp%\si1.tmp
http://torangcomz.com/request/updatelived.php?ver=1.0.0.2&instdate=&pid=&mac=&fileyn=0&insttype=keywordfind	%Temp%\si2.tmp
http://torangcomz.com/request/checkpg.php?instdate=19780101&pid=none&mac=&Lived=19780101&fileyn=0&clsidyn=1&blackyn=0&insttype=keywordfind	%Temp%\si6.tmp

Downloaded Files Summary (Generation #2):

Download details:

Download retrieved: 18 September 2012 00:40:10
Processing time: 8 min 0 sec
Downloaded sample #1:

File MD5: 0x14D40E559A24A6646598F9BDE1B09583
File SHA-1: 0x67117079027679858A464B9A3B6FD6508F3A3247
Filesize: 1,120,416 bytes
Alias: Trojan:Win32/BHO.DC [Microsoft]

Downloaded sample #2:

File MD5: 0x4750950622D5B32119FCD02EA5387EAC
File SHA-1: 0x0C90F503FD4A09AD157B6D938E3A8EFEF4F2C9BB
Filesize: 195,744 bytes
Packer info: packed with: ASPack [Kaspersky Lab]

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	1,120,416 bytes	MD5: 0x14D40E559A24A6646598F9BDE1B09583 SHA-1: 0x67117079027679858A464B9A3B6FD6508F3A3247	Trojan:Win32/BHO.DC [Microsoft]
2	[file and pathname of the sample #2]	195,744 bytes	MD5: 0x4750950622D5B32119FCD02EA5387EAC SHA-1: 0x0C90F503FD4A09AD157B6D938E3A8EFEF4F2C9BB	packed with ASPack [Kaspersky Lab]

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	475,136 bytes

Note:

[generic host process filename] is a full path filename of [generic host process].

Other details

Analysis of the file resources indicate the following possible country of origin:

Republic of Korea

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.