DESKTOPLAYER.EXE – Trojan ZBot

I recommend you UnHackMe - Ultimate Malware Killer for fast malware removal:

Free Download
Fully Functional 30-day Trial. No credit card is required.
Reviews
. EULA. Privacy Policy. Uninstall.

DESKTOPLAYER.EXE – Trojan ZBot removal

FileMD5Virus Alias
DESKTOPLAYER.EXE ff5e1f27193ce51eec318714ef038bef Trojan ZBot
DESKTOPLAYER.EXE ff5e1f27193ce51eec318714ef038bef Suspicious File
DESKTOPLAYER.EXE ff5e1f27193ce51eec318714ef038bef Trojan XPACK
DESKTOPLAYER.EXE ff5e1f27193ce51eec318714ef038bef Trojan Eldorado
DESKTOPLAYER.EXE ff5e1f27193ce51eec318714ef038bef Worm AMN
DESKTOPLAYER.EXE ff5e1f27193ce51eec318714ef038bef Trojan Krap

DESKTOPLAYER.EXE size: 56320 bytes
DESKTOPLAYER.EXE hash: FF5E1F27193CE51EEC318714EF038BEF

Created files:

C:\1e860c
%Program Files%\Microsoft\DesktopLayer.exe
%SysDir%\Driver\ctfmon.exe
%AppData%\Microsoft\Crypto\RSA\S-1-5-21-515967899-854245398-1708537768-1003\699c4b9cdebca7aaea5193cae8a50098_78de4566-a5cc-4192-bf8d-014e0d2bd235

Autostart registry keys:

HKLM\Software\Microsoft\Active Setup\Installed Components\{IIPYIVMX-238F-O4B3-8V66-MQA3MV85A18C}\StubPath: %WinDir%\System32\Driver\ctfmon.exe Restart
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ctfmon: 43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C004400720069007600650072005C006300740066006D006F006E002E006500780065000000
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HKLM: 43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C004400720069007600650072005C006300740066006D006F006E002E006500780065000000
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: c:\windows\System32\userinit.exe,,c:\program files\Microsoft\desktoplayer.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ctfmon: 43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C004400720069007600650072005C006300740066006D006F006E002E006500780065000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HKCU: 43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C004400720069007600650072005C006300740066006D006F006E002E006500780065000000

Detected by UnHackMe:

DESKTOPLAYER.EXE
Default location: %PROGRAM FILES%\MICROSOFT\DESKTOPLAYER.EXE

Dropper information:
MD5: 12d616d93ea21ec2962f5d97485e987b
File size: 495227 bytes

Leave a Reply