2.4
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.64
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Trojan:Win32/Dorv.1cc8eb63 | 20190527 | 0.3.0.5 |
| Avast | Win32:KeyIso-A [Trj] | 20240623 | 23.9.8494.0 |
| Baidu | Win32.Trojan.Inject.bm | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20231026 | 1.0 |
| Kingsoft | malware.kb.a.1000 | 20230906 | None |
| McAfee | Downloader-BIJ.a | 20240623 | 6.0.6.653 |
| Tencent | Trojan.Win32.Miancha.za | 20240623 | 1.0.0.1 |
静态指标
一个或多个进程崩溃
(4 个事件)
动态指标
分配可读-可写-可执行内存(通常用于自解压)
(1 个事件)
在文件系统上创建可执行文件
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\SCardSvr.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\~dfds3.reg |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\SCardSvr.exe |
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.rsrc', 'virtual_address': '0x00005000', 'virtual_size': '0x000034c4', 'size_of_data': '0x00004000', 'entropy': 7.523962532181017} | entropy | 7.523962532181017 | description | 发现高熵的节 | |||||||||
| entropy | 0.5 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
枚举服务,可能用于反虚拟化
(1 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545293.10925 EnumServicesStatusA |
service_handle:
0x00514410
service_type: 48 service_status: 2 |
success | 1 | 0 |
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SCardSvr | reg_value | C:\Users\Administrator\AppData\Local\SCardSvr.exe | ||||||
文件已被 VirusTotal 上 69 个反病毒引擎识别为恶意
(50 out of 69 个事件)
| ALYac | Gen:Variant.Downloader.19 |
| APEX | Malicious |
| AVG | Win32:KeyIso-A [Trj] |
| Acronis | suspicious |
| AhnLab-V3 | Backdoor/Win32.CSon.R885 |
| Alibaba | Trojan:Win32/Dorv.1cc8eb63 |
| Antiy-AVL | Trojan/Win32.Inject.aaceh |
| Arcabit | Trojan.Downloader.19 |
| Avast | Win32:KeyIso-A [Trj] |
| Avira | TR/Dropper.Gen |
| Baidu | Win32.Trojan.Inject.bm |
| BitDefender | Gen:Variant.Downloader.19 |
| BitDefenderTheta | Gen:NN.ZexaF.36808.cq0@a0LUH!ci |
| Bkav | W32.AIDetectMalware |
| CAT-QuickHeal | Trojan.Mauvaise.SL1 |
| ClamAV | Win.Trojan.Ulise-6838227-0 |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.bf3e37 |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| DeepInstinct | MALICIOUS |
| DrWeb | Trojan.DownLoad4.16280 |
| ESET-NOD32 | Win32/Injector.BFSU |
| Elastic | malicious (high confidence) |
| Emsisoft | Gen:Variant.Downloader.19 (B) |
| F-Secure | Trojan.TR/Dropper.Gen |
| FireEye | Generic.mg.d1a4858bf3e37433 |
| Fortinet | W32/Injector.BFSU!tr |
| GData | Win32.Trojan.PSE1.13MYFBD |
| Detected | |
| Ikarus | Trojan-Downloader.Win32.Small |
| Jiangmin | TrojanDownloader.Small.ajux |
| K7AntiVirus | Trojan-Downloader ( 0040f54b1 ) |
| K7GW | Trojan ( 0053a0a21 ) |
| Kaspersky | HEUR:Trojan.Win32.Miancha.gen |
| Kingsoft | malware.kb.a.1000 |
| Lionic | Trojan.Win32.Generic.lk0q |
| MAX | malware (ai score=84) |
| Malwarebytes | Generic.Malware.AI.DDS |
| MaxSecure | Trojan.Inject.AACEH |
| McAfee | Downloader-BIJ.a |
| McAfeeD | Real Protect-LS!D1A4858BF3E3 |
| MicroWorld-eScan | Gen:Variant.Downloader.19 |
| Microsoft | Trojan:Win32/Injector.ARA!MTB |
| NANO-Antivirus | Trojan.Win32.Small.cpbmb |
| Panda | Bck/Qbot.AO |
| Rising | Trojan.Injector!1.A7C6 (CLASSIC) |
| SUPERAntiSpyware | Backdoor.Bot/Variant |
| Sangfor | Trojan.Win32.Save.a |
| SentinelOne | Static AI - Malicious PE |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2010-08-09 09:44:42
PE Imphash
118eb37b88640d7f3f7ac979ea5687cc
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00001765 | 0x00002000 | 5.964355257636601 |
| .rdata | 0x00003000 | 0x00000735 | 0x00001000 | 3.0709249240351824 |
| .data | 0x00004000 | 0x00000648 | 0x00001000 | 1.2869394487982222 |
| .rsrc | 0x00005000 | 0x000034c4 | 0x00004000 | 7.523962532181017 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_RCDATA | 0x000050b4 | 0x00003000 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_VERSION | 0x000080b4 | 0x00000410 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.dll:
• 0x40301c ReadFile
• 0x403020 HeapAlloc
• 0x403024 GetProcessHeap
• 0x403028 GetFileSize
• 0x40302c CreateFileA
• 0x403030 CopyFileA
• 0x403034 MoveFileExA
• 0x403038 GetTempFileNameA
• 0x40303c GetTempPathA
• 0x403040 GetModuleFileNameA
• 0x403044 LockResource
• 0x403048 LoadResource
• 0x40304c SizeofResource
• 0x403050 FindResourceA
• 0x403054 GetLastError
• 0x403058 lstrcpyA
• 0x40305c MoveFileA
• 0x403060 DeleteFileA
• 0x403064 lstrcatA
• 0x403068 lstrcmpiA
• 0x40306c ExitProcess
• 0x403070 ExpandEnvironmentStringsA
• 0x403074 GetTickCount
• 0x403078 LeaveCriticalSection
• 0x40307c GetProcAddress
• 0x403080 EnterCriticalSection
• 0x403084 VirtualProtect
• 0x403088 InitializeCriticalSection
• 0x40308c GetModuleHandleA
• 0x403090 TerminateProcess
• 0x403094 VirtualAllocEx
• 0x403098 HeapFree
• 0x40309c VirtualAlloc
• 0x4030a0 lstrlenA
• 0x4030a4 Sleep
• 0x4030a8 WinExec
• 0x4030ac GetLocalTime
• 0x4030b0 SetUnhandledExceptionFilter
• 0x4030b4 GetCurrentProcess
• 0x4030b8 GetCurrentProcessId
• 0x4030bc GetCurrentThreadId
• 0x4030c0 SetFilePointer
• 0x4030c4 WriteFile
• 0x4030c8 CloseHandle
• 0x4030cc BeginUpdateResourceA
• 0x4030d0 UpdateResourceA
• 0x4030d4 GetLongPathNameA
• 0x4030d8 EndUpdateResourceA
Library ADVAPI32.dll:
• 0x403000 CryptAcquireContextA
• 0x403004 CryptReleaseContext
• 0x403008 CloseServiceHandle
• 0x40300c EnumServicesStatusA
• 0x403010 OpenSCManagerA
• 0x403014 CryptGenRandom
Library dbghelp.dll:
• 0x403100 MiniDumpWriteDump
Exports
| Ordinal | Address | Name |
|---|---|---|
| 1 | 0x4042f8 | szFile |
L!This program cannot be run in DOS mode.
{E!?+r?+r?+r%r;+r?*r
+rvr4+r
!r;+r-r>+r/r>+rRich?+r
.rdata
@.data
SVWj@3Y3j@fY3fj?3Y]f]E
MSQEuPV
YYPV50@
ESPuW=0@
ESPuhC
;t$uuh
X^UQQV5
WEWP}}
;t'EPEPEPh
3?;3j u
A(;r3_^[
LS n6$@x/Z
V)[tOx$
+Txs,I
utaO=k1G33
DXS@c &d
Z }Y3QCy
.hzJU*q
H,bN#o7?
n7h@)%r
kA7b&Vm.=i:}yc
Kr+yk2Z
r;Fbq
K}=~s%MIlu6rU3= ;f?'M
i(/prBRy=w?!
o\^3xG;
NLXMaW
8udc#-o#
/1}0h-
^7WM9Ba
`(InTUl%y<i!
{#6rmg
f_*tppDYCe
*d?L<]
'x/7QY"r
O\3s>\h;
oU8?24
nSOy_[
4)B g=\]G&
MO$z\S
|_^[]UE
Q@@Ed*h
!>a$_b
'i_6De
7p)9iO
t_w[Vfn -
R&0 >=uL
8so7?(
EE~cSVu
3fj@3Yj@fY3fj@3Yu
]f]@~)M
GEQ@9E|
3tESPPPPu
X_^[U@fe
3Y}fhS"@
EPEhA@
V3WV3}h
V#VPVWu
uRFGHt
t+t'NW8u
;uH_^Q=
r)$x%@
DDDDDDDDDDDDDD
w$w6w! w+ww
`u_iwejw3w)wMw
`uwI"wO!w[w`w`ww
owwA#wIwAw1#ww
=wwww6w
w|w)w-w
G?w9)w
EndUpdateResourceA
UpdateResourceA
BeginUpdateResourceA
CloseHandle
WriteFile
SetFilePointer
ExitProcess
ReadFile
HeapAlloc
GetProcessHeap
GetFileSize
CreateFileA
CopyFileA
MoveFileExA
GetTempFileNameA
GetTempPathA
GetModuleFileNameA
LockResource
LoadResource
SizeofResource
FindResourceA
GetLastError
lstrcpyA
MoveFileA
DeleteFileA
lstrcatA
lstrcmpiA
GetLongPathNameA
ExpandEnvironmentStringsA
GetTickCount
LeaveCriticalSection
GetProcAddress
EnterCriticalSection
VirtualProtect
InitializeCriticalSection
GetModuleHandleA
TerminateProcess
VirtualAllocEx
HeapFree
VirtualAlloc
lstrlenA
WinExec
GetLocalTime
SetUnhandledExceptionFilter
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
KERNEL32.dll
wsprintfA
MessageBeep
MessageBoxA
USER32.dll
CryptReleaseContext
CryptGenRandom
CryptAcquireContextA
CloseServiceHandle
EnumServicesStatusA
OpenSCManagerA
ADVAPI32.dll
StrChrA
PathRemoveFileSpecA
StrRChrIA
SHLWAPI.dll
MiniDumpWriteDump
dbghelp.dll
roudanx.exe
szFile
svchost.exe
RT_RCDATA
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinHttp
szFile
ResumeThread
SetThreadContext
WriteProcessMemory
VirtualProtectEx
VirtualQueryEx
ReadProcessMemory
GetThreadContext
CreateProcessA
kernel32
ZwUnmapViewOfSection
Are you sure?
regedit.exe /s
~dfds3.reg
%tmp%\
Windows Registry Editor Version 5.00
"%s"="%s"
%04d-%02d-%02d_%02d-%02d-%02d.dmp
kernel32.ResumeThread
wwBNwww
wc:\temp\virus.exe
c:\temp\2015-05-01_22-53-25.dmp
yY8l#O-=_0L9{8
x\[vd2T
O\F"DmiF).}M
<z|w=\U@
k,3z5V
tG3q44C2O
)D'1s`\?
jp]R#Dg$
K(Ovy_%5
}^Wt,#
$_~"Ezf
1P<#[Xe
*#*UTcBqH^/
ID`zl3P;B+V
~1B&>Sj
$:xMfn+
ZL{&!Nl0q
1X++DE=
rnh6?=.cU
PJ1euz5k]9
bep||+lA
&UqHK*YF8e
b}$y"*dV]
v2<Up;0e
0j\$zQ
u||<HR
@#8Vop
$[ed@0!L
}W__6b
mZ3[?~XwB<J
ak;{.G
X<?^F/;
vrMdP>mN
97Xm-tPml
2O6F_q
?vL3 N
z86`'wr
P?OHU;
*#?By^
g8x5C.lQ
2Me7iZ
xy:]Lu*y7
,8? w2/|LTwg!Q@AT{$o
_u9ON^/w4
sMwgj5>{
zd*wiJ
#'=$l#y
E<uRfi7^k`>
c!!+#O
L>;D[C\
EUL QqOn{@=gTk
AzW++jmV6\ad'PazQ#6aK
C=TW/fw6\^iZ9Z(R
!S^Bvjq
Uw"sk,!3"L
m9Y|c+?x
)^&nmL5mtQ`
'v)T:7
9p-p_Q
?f`&^F.
{vV}fw
*/~rWO~&
xN1C)db
+GG[2@!
PyLa`N(pMr6
Th({2Go?N
.e[QO@vt
U'Aa4[$`K:
{)U8if`zhB
&e aRpUO
;g)Wg`
Usr O }Lr
GtLD@x
/3lfB5
rC@zK?b
i%r#kCJM
P_6%GR
&}PHTU4CF
apua"|\S4~
k6c*6)'Jjx
8\\#9"MB
h@ID7mt57
^XC1{<
|A6BoFX
0th (J
TW(u.}
..0f7C
dtV6x5
tu)2$r{
[hM\xb
iOgz.G
50E1}Ti\D
@vGL9|H^HQ
j;+Nhe)
j_>vcp"~/;S
Z_AU,Y1z)I1^r
V2BCeMli_My
L9S'e^`Z"
R4"SFJgG
y-JJQ>K|
6B`m%g@
rr{O|p%Y
;7Y1^GR
m135"WO}$.
55'>Y^,
$]`2Hv*><.
vM2>cy%f3
|5&(+1&qK~
|<8p-/_
Ju3.#>+v%
5_Cyu`wYO695
Cio@|\wV@CeM
[$rm~)
1Qk6SJ{kW3^ 7d:X3n|
o@ wB->P
_F1.5hh@
VvPdz:K
/Ne">PEwiLs6:
o$AQ*rwn^
:,ap5p
sbv8DwTEI-s
8b29g$^
/41nXv/\D*)F
;iR[PS2
Wt{7QU"O[x]
m#^):7
0cJLtB
NOO2c4
gB5#}y~
Os|wy@iH
{g(Y0{3r
3I}$%V
--P jO
mG"3n*y`R
M#;Uo|duni
tD@@zwdf
`#%NJ`mBrYhXa
m-]wn[h
o08j#b
rbiVQ8\O
tXM4|&ui
/x3-H9l3e@%
m/V<gU8
@o;1n@.
5Y$3D *
MiL)@.0D"
{9>bi(jg
/(v|#yqG@
bXz*^'q3
~;*$|B|
ZKn:&?Td$k
#8hbX
OMWR&I
j*msk8
3kU=I7 (
>$LU8sU
*jaYm"
:hK\GU
2kN^n=\V9Zv
Y)&WB0YL
N7']F>
uE8n7u
w^[R#o
K>oNJw
d\C;d`
i(i|oA
(hhF4Rj%
0GQ9lg
>|M3`6
Xfm9)r4\?7( s/+]
HEF<{%M
`fg+} <
vQQE@-s
^G m*`F
X$yN\G4'RT
e|XH3_R
LekUUo
B\1!kl
\n"Y;
oic9ehS<R
^6@=/h
yRGdr
*tN'A-
GY1zQ^B
}Ie^0vl=1D
m~vGC6OKW
,.xeip,
SM<FRzk8;
6g$/;bw
5&9G82
Zr+p)lw>
JS~O(i
h jert
'QZ'UYr$
*<"ZanG
W-uOb)f
%8:Z'EE
dyh/uVy?mO
LI[L57{
{{3)J9
*beS!
A^(?]CXEA
;x8=\<3
luc kxO
lhLTn1oa[o
l~(he=th7
c`X>~F+)
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
R�T�_�R�C�D�A�T�A�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�b�0�
C�o�m�p�a�n�y�N�a�m�e�
A�d�o�b�e� �S�y�s�t�e�m�s�,� �I�n�c�.�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
A�d�o�b�e�?� �F�l�a�s�h�?� �P�l�a�y�e�r� �I�n�s�t�a�l�l�e�r�/�U�n�i�n�s�t�a�l�l�e�r� �1�0�.�1� �r�5�3�
F�i�l�e�V�e�r�s�i�o�n�
1�0�,�1�,�5�3�,�6�4�
I�n�t�e�r�n�a�l�N�a�m�e�
A�d�o�b�e�?� �F�l�a�s�h�?� �P�l�a�y�e�r� �I�n�s�t�a�l�l�e�r�/�U�n�i�n�s�t�a�l�l�e�r� �1�0�.�1�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �?� �1�9�9�6�-�2�0�1�0� �A�d�o�b�e�,� �I�n�c�.�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
A�d�o�b�e�?� �F�l�a�s�h�?� �P�l�a�y�e�r�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
F�l�a�s�h�U�t�i�l�.�e�x�e�
P�r�o�d�u�c�t�N�a�m�e�
F�l�a�s�h�?� �P�l�a�y�e�r� �I�n�s�t�a�l�l�e�r�/�U�n�i�n�s�t�a�l�l�e�r�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
1�0�,�1�,�5�3�,�6�4�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
Process Tree
-
045a4bda6519feae39fda400425a912978e58d3f1140b8f3df20bba7d87db5b3.exe (1612)
"C:\Users\Administrator\AppData\Local\Temp\045a4bda6519feae39fda400425a912978e58d3f1140b8f3df20bba7d87db5b3.exe"
- regedit.exe (920) regedit.exe /s C:\Users\ADMINI~1\AppData\Local\Temp\~dfds3.reg
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 4b5b6eb250e00a06_scardsvr.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\SCardSvr.exe |
| Size | 36.0KB |
| Processes | 1612 (045a4bda6519feae39fda400425a912978e58d3f1140b8f3df20bba7d87db5b3.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | dddbc349b5c9c84c3eb55719152836c0 |
| SHA1 | 9f099adddbc5d3aee305a5931665f21b2f518346 |
| SHA256 | 4b5b6eb250e00a06d493dcc1b2c5585230d27c2fe8d668552c9ae2b845478a9a |
| CRC32 | 093D348E |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.