× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
File name: DesktopLayer.exe
Detection ratio: 58 / 61
Analysis date: 2017-06-11 05:07:34 UTC ( 1 year, 8 months ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.Zbot.IVF 20170611
AegisLab Packer.W32.Krap.hm!c 20170611
AhnLab-V3 Trojan/Win32.Zbot.R2926 20170610
ALYac Backdoor.Zbot.al 20170611
Arcabit Trojan.Zbot.IVF 20170611
Avast Win32:GenMalicious-GOW [Trj] 20170611
AVG Win32:GenMalicious-GOW [Trj] 20170611
Avira (no cloud) TR/Crypt.Xpack.AB.1 20170610
AVware Trojan.Win32.Generic!BT 20170611
Baidu Win32.Trojan.Ramnit.e 20170608
BitDefender Trojan.Zbot.IVF 20170611
Bkav W32.RammintDropperNNA.Worm 20170610
CAT-QuickHeal Worm.RamnitBot 20170610
ClamAV Win.Malware.QBot-846 20170611
Comodo MalCrypt.Indus! 20170611
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170420
Cyren W32/Trojan.NFHC-8913 20170611
DrWeb VBS.Dropper.128 20170611
Emsisoft Trojan.Zbot.IVF (B) 20170611
Endgame malicious (moderate confidence) 20170515
ESET-NOD32 Win32/Ramnit.A 20170611
F-Prot W32/Ramnit.X 20170611
F-Secure Trojan.Zbot.IVF 20170611
Fortinet W32/Snocry.JQ!tr 20170611
GData Win32.Virus.Ramnit-Main.C 20170611
Ikarus Packer.Win32.Krap 20170610
Sophos ML heuristic 20170607
Jiangmin Trojan/Generic.beznk 20170611
K7AntiVirus Backdoor ( 04c4e9741 ) 20170611
K7GW Backdoor ( 04c4e9741 ) 20170611
Kaspersky Packed.Win32.Krap.hm 20170611
Kingsoft Win32.Troj.Krap.hm.(kcloud) 20170611
Malwarebytes Virus.Ramnit 20170611
McAfee PWS-Zbot.gen.pq 20170611
McAfee-GW-Edition BehavesLike.Win32.ZBot.qc 20170610
Microsoft Worm:Win32/Ramnit.A 20170610
eScan Trojan.Zbot.IVF 20170611
NANO-Antivirus Trojan.Win32.ULPM.dlsptx 20170611
nProtect Trojan/W32.Krap.56320.AG 20170611
Palo Alto Networks (Known Signatures) generic.ml 20170611
Panda Trj/Krap.Y 20170610
Qihoo-360 VirusOrg.Win32.Ramnit.K 20170611
SentinelOne (Static ML) static engine - malicious 20170516
Sophos AV W32/Ramnit-ET 20170611
Symantec Trojan.Zbot!gen9 20170610
Tencent Win32.Trojan.Backdoor.Jqsh 20170611
TheHacker Posible_Worm32 20170611
TotalDefense Win32/Ramnit.NFTMJbB 20170611
TrendMicro BKDR_QAKBOT.SMC 20170611
TrendMicro-HouseCall BKDR_QAKBOT.SMC 20170611
VBA32 Malware-Cryptor.Win32.073 20170609
VIPRE Trojan.Win32.Generic!BT 20170611
ViRobot Trojan.Win32.Z.Zbot.56320.F[h] 20170611
Webroot W32.Malware.gen 20170611
Yandex Trojan.Kryptik!P4PzTd0t6I4 20170608
Zillya Adware.OutBrowse.Win32.104455 20170610
ZoneAlarm by Check Point Packed.Win32.Krap.hm 20170611
Zoner Trojan.Zbot 20170611
Alibaba 20170609
CMC 20170610
Rising 20170611
SUPERAntiSpyware 20170610
Symantec Mobile Insight 20170608
Trustlook 20170611
WhiteArmor 20170608
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
2528-6142

Product люзанх
Original name nedwp.exe
Internal name фжзрюкшэщ
File version 106.42.73.61
Description BitDefender Management Console
Packers identified
F-PROT UPX
PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2008-02-12 11:02:20
Entry Point 0x0002C030
Number of sections 3
PE sections
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
DragFinish
WinHelpW
Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
RUSSIAN 2
PE resources
ExifTool file metadata
UninitializedDataSize
122880

LinkerVersion
7.4

ImageVersion
8.1

FileVersionNumber
106.42.73.61

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
BitDefender Management Console

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
4096

EntryPoint
0x2c030

OriginalFileName
nedwp.exe

MIMEType
application/octet-stream

LegalCopyright
2528-6142

FileVersion
106.42.73.61

TimeStamp
2008:02:12 12:02:20+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
106.42.73.61

SubsystemVersion
4.0

OSVersion
10.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
SOFTWIN S.R.L.

CodeSize
57344

FileSubtype
0

ProductVersionNumber
106.42.73.61

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
PE resource-wise parents
Overlay parents
Compressed bundles
File identification
MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
ssdeep
1536:Q+hzRsibKplyXTq8OGRnsPFG+RODTb7MXL5uXZnzE:bROzoTq0+RO7IwnY

authentihash 99dc4b0f55eed36a83a5dc3c5fd6fa5ed273fc25e48941cdf45e180d89a41f85
imphash 500cd02578808f964519eb2c85153046
File size 55.0 KB ( 56320 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (31.0%)
Win32 Executable (generic) (21.2%)
Win16/32 Executable Delphi generic (9.7%)
OS/2 Executable (generic) (9.5%)
Clipper DOS Executable (9.5%)
Tags
peexe attachment upx

VirusTotal metadata
First submission 2010-07-30 21:00:35 UTC ( 8 years, 6 months ago )
Last submission 2019-02-08 06:08:29 UTC ( 1 week, 1 day ago )
File names hnetzziosrv.exe
desktoplayersrvsrv.exe
810127101ed60359bdb05fefe29316835fb53bb3a31b82d5f8bc514a5596db83Srv.exe
CvMIJiDC.exe
qnvfadpp.exe
hhjxlsap.exe
iduilbvz.exe
fb29ffb0a2c586bd54126f2cc067e59532192b59dfe017f89f678e5df06bb0d7Srv.exe
4733d7645a5f750ec1581e2b55aa905e5d6512337508cae3df0b79c1f1ad70c0Srv.exe
tomhibin.exe
ClientSrv.exe
c90fa758b4c3f294d077dc09dd96356f788433bd3a5fd74c87f36f74fdba9544Srv.exe
68e2cecfde10a3c9438c96fdaf038b755133698071dab242d1ce45b571b005fbSrv.exe
qspiirms.exe
dnqgphvh.exe
9a5a53d872ce7d63aebcd13210fc22aa704baa5c81a50087612ecd9d244b9087Srv.exe
itar87htk8y46ziiishksrv.exe
9d10458b12cd9acb641f0108cfb857a97e021819f85f8442865e40bd50400454Srv.exe
uquberse.exe
cmdqyyng.exe
ttmstaie.exe
TibiaSrv.exe
gbfadvfr.exe
ucnjbvcpsrv.exe
DESKTOPLAYER.EXE
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Copied files
Deleted files
Created processes
Created mutexes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.