home

kb17774921.exe

hla

The executable kb17774921.exe has been detected as malware by 4 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Client Server Runtime Process’. While running, it connects to the Internet address WIN-IMR7PIMNOUI on port 9997.
Product:
hla

Version:
1, 0, 0, 1

MD5:
a4d79a9df8152a9118e8ac20af9ae31b

SHA-1:
7451a49fbbc41f156ff239b92e4d9c92f269329e

SHA-256:
067a5c0a6224b8ce98af6ef2e598e054d4679bb8df70ff12f49401c2d328ebf9

Scanner detections:
4 / 68

Status:
Malware

Analysis date:
12/27/2024 6:43:00 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.PWS.Panda.11620
9.0.1.05190

ESET NOD32
Win32/Agent.QKJ trojan
6.3.12010.0

Kaspersky
Trojan.Win32.Reconyc
15.0.2.529

Microsoft Security Essentials
TrojanDownloader:Win32/Recslurp.B
1.237.1116.0

File size:
140 KB (143,360 bytes)

Product version:
1, 0, 0, 1

Copyright:
(C) 2008

Original file name:
hla.EXE

File type:
Executable application (Win32 EXE)

Language:
German (Switzerland)

Common path:
C:\Documents and Settings\{user}\Local settings\temp\kb17774921.exe

File PE Metadata
Compilation timestamp:
3/1/2017 7:57:44 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Entry address:
0x7A2F

Entry point:
55, 8B, EC, 6A, FF, 68, 78, 8A, 20, 00, 68, B6, 7B, 20, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 9C, 83, 20, 00, 59, 83, 0D, F0, A1, 20, 00, FF, 83, 0D, F4, A1, 20, 00, FF, FF, 15, 98, 83, 20, 00, 8B, 0D, E4, A1, 20, 00, 89, 08, FF, 15, 94, 83, 20, 00, 8B, 0D, E0, A1, 20, 00, 89, 08, A1, 90, 83, 20, 00, 8B, 00, A3, EC, A1, 20, 00, E8, 17, 01, 00, 00, 39, 1D, 00, A1, 20, 00, 75, 0C, 68, B2, 7B, 20, 00, FF, 15, 8C, 83...
 
[+]

Entropy:
6.6735

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
28 KB (28,672 bytes)

Approved Shell Extension
Name:
Autoplay for SlideShow

CLSID:
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}

CLSID name:
Shell Autoplay for Slideshow


Scheduled Task
Task name:
2

Path:
\Avira\System Speedup\Delayed Startup\computer\2

Trigger:
Logon (Runs on logon)

Description:
Delayed startup list for computer


4 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Client Server Runtime Process

Command:
C:\Documents and Settings\{user}\Application data\csrss.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Host-process Windows (Rundll32.exe)

Command:
C:\users\{user}\appdata\roaming\rundll32.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Host-process Windows (Rundll3.exe)

Command:
C:\users\{user}\appdata\roaming\rundll3.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Service Host Process for Windows

Command:
C:\users\{user}\appdata\roaming\svchost.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to WIN-IMR7PIMNOUI  (46.148.17.74:9997)

TCP:
Connects to ns3051195.ip-91-121-146.eu  (91.121.146.12:9631)

TCP:
Connects to WIN-VG75CP2GHU6  (46.148.17.10:9997)

TCP:
Connects to WIN-2F7C36U6BPH  (46.148.22.10:9997)

TCP (SMTP):
Connects to mx1.hotmail.com  (65.55.92.184:25)

TCP:
Connects to customer.worldstream.nl  (217.23.11.14:9997)

TCP:
Connects to WIN-OJMG4CLJV5H  (46.148.17.146:9631)

TCP:
Connects to WIN-UVI9959O36V  (46.148.18.82:9997)

TCP:
Connects to host-static-89-36-159-69.moldtelecom.md  (89.36.159.69:9997)

TCP:
Connects to 140-127-232-218.nuk.edu.tw  (140.127.232.218:9631)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.ne1.yahoo.com  (98.138.105.22:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.ir2.yahoo.com  (188.125.68.56:25)

TCP:
Connects to ns3022934.ip-91-121-72.eu  (91.121.72.83:9631)

TCP:
Connects to loft11030.dedicatedpanel.com  (188.138.57.44:9631)

TCP:
Connects to WIN-8UDHEG0I0H5  (46.148.17.194:9631)

TCP:
Connects to mail.sellene.com  (85.93.93.10:9997)

TCP:
Connects to host189.89.125-51.dh-c.net.br  (189.89.125.51:9631)

TCP:
Connects to host189.89.125-50.dh-c.net.br  (189.89.125.50:9997)

TCP:
Connects to h136-112.fcsrv.net  (194.28.112.136:9997)

TCP:
Connects to ab.ac.caa1.ip4.static.sl-reverse.com  (161.202.172.171:9631)

Remove kb17774921.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.