3.8
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.76
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:ReposFxg-C [Trj] | 20200922 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Kryptik.rb | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200922 | 2013.8.14.323 |
| McAfee | GenericRXES-MD!E9025503E7B0 | 20200922 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b0dadf | 20200922 | 1.0.0.1 |
静态指标
观察到命令行控制台输出
(6 个事件)
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机
(1 个事件)
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(2 个事件)
| section | .udata |
| section | .ydata |
动态指标
分配可读-可写-可执行内存(通常用于自解压)
(2 个事件)
查询磁盘大小,可用于检测具有小固定大小或动态分配的虚拟机
(1 个事件)
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\mznqssqd.exe |
创建一个服务
(1 个事件)
创建可疑进程
(4 个事件)
| cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
| cmdline | netsh advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
| cmdline | "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\ADMINI~1\AppData\Local\Temp\mznqssqd.exe" C:\Windows\SysWOW64\hesyapcx\ |
| cmdline | "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hesyapcx\ |
一个进程创建了一个隐藏窗口
(6 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.text', 'virtual_address': '0x00001000', 'virtual_size': '0x0001988c', 'size_of_data': '0x00019a00', 'entropy': 7.625999178074499} | entropy | 7.625999178074499 | description | 发现高熵的节 | |||||||||
| section | {'name': '.udata', 'virtual_address': '0x0001b000', 'virtual_size': '0x00001888', 'size_of_data': '0x00001a00', 'entropy': 7.715293173702624} | entropy | 7.715293173702624 | description | 发现高熵的节 | |||||||||
使用 Windows 工具进行基本 Windows 功能
(10 个事件)
| cmdline | sc start hesyapcx |
| cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
| cmdline | netsh advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
| cmdline | "C:\Windows\System32\sc.exe" description hesyapcx "wifi internet conection" |
| cmdline | "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hesyapcx\ |
| cmdline | cmd /C mkdir C:\Windows\SysWOW64\hesyapcx\ |
| cmdline | "C:\Windows\System32\sc.exe" create hesyapcx binPath= "C:\Windows\SysWOW64\hesyapcx\mznqssqd.exe /d\"C:\Users\Administrator\AppData\Local\Temp\0ad3664011cff4747cb6eec63fdf4f18743e8b050d13f9a148f65abf7dc6f85f.exe\"" type= own start= auto DisplayName= "wifi support" |
| cmdline | sc description hesyapcx "wifi internet conection" |
| cmdline | sc create hesyapcx binPath= "C:\Windows\SysWOW64\hesyapcx\mznqssqd.exe /d\"C:\Users\Administrator\AppData\Local\Temp\0ad3664011cff4747cb6eec63fdf4f18743e8b050d13f9a148f65abf7dc6f85f.exe\"" type= own start= auto DisplayName= "wifi support" |
| cmdline | "C:\Windows\System32\sc.exe" start hesyapcx |
网络通信
与未执行 DNS 查询的主机进行通信
(3 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
| host | 43.231.4.7 | |||
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| service_name | hesyapcx | service_path | C:\Windows\SysWOW64\hesyapcx\mznqssqd.exe \d"C:\Users\Administrator\AppData\Local\Temp\0ad3664011cff4747cb6eec63fdf4f18743e8b050d13f9a148f65abf7dc6f85f.exe" | ||||||
操作本地防火墙的策略和设置
(2 个事件)
| cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
| cmdline | netsh advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
生成一些 ICMP 流量
文件已被 VirusTotal 上 54 个反病毒引擎识别为恶意
(50 out of 54 个事件)
| ALYac | Trojan.Agent.CXOV |
| APEX | Malicious |
| AVG | Win32:ReposFxg-C [Trj] |
| Acronis | suspicious |
| Ad-Aware | Trojan.Agent.CXOV |
| AhnLab-V3 | Backdoor/Win32.Tofsee.R225739 |
| Antiy-AVL | Trojan[Banker]/Win32.Emotet |
| Arcabit | Trojan.Agent.CXOV |
| Avast | Win32:ReposFxg-C [Trj] |
| Avira | TR/Dropper.Gen |
| Baidu | Win32.Trojan.Kryptik.rb |
| BitDefender | Trojan.Agent.CXOV |
| BitDefenderTheta | Gen:NN.ZexaF.34254.@tW@aKWQ3mci |
| Bkav | W32.AIDetectVM.malware1 |
| Comodo | TrojWare.Win32.Crypt.C@7vajd0 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.3e7b0e |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| Cyren | W32/Trojan.BQM.gen!Eldorado |
| DrWeb | Trojan.KillProc.54838 |
| ESET-NOD32 | a variant of Win32/Kryptik.GFKT |
| Elastic | malicious (high confidence) |
| Emsisoft | Trojan.Agent.CXOV (B) |
| FireEye | Generic.mg.e9025503e7b0ee50 |
| Fortinet | W32/Kryptik.CQXJ!tr |
| GData | Trojan.Agent.CXOV |
| Ikarus | Trojan.Win32.Crypt |
| Invincea | ML/PE-A + Mal/Elenoocka-G |
| Jiangmin | Trojan.Generic.cbpvc |
| K7AntiVirus | Trojan ( 0052d81e1 ) |
| K7GW | Trojan ( 0052d81e1 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=83) |
| Malwarebytes | Trojan.MalPack |
| McAfee | GenericRXES-MD!E9025503E7B0 |
| MicroWorld-eScan | Trojan.Agent.CXOV |
| Microsoft | Backdoor:Win32/Tofsee.T |
| Panda | Trj/GdSda.A |
| Qihoo-360 | HEUR/QVM20.1.18A6.Malware.Gen |
| Rising | Trojan.Kryptik!1.B18A (CLASSIC) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/Elenoocka-G |
| Symantec | Packed.Generic.493 |
| Tencent | Malware.Win32.Gencirc.10b0dadf |
| TrendMicro | Trojan.Win32.ELENOOKA.SM.hp |
| TrendMicro-HouseCall | Trojan.Win32.ELENOOKA.SM.hp |
| VBA32 | BScope.Trojan.Downloader |
| Webroot | W32.Trojan.Gen |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2016-06-09 17:13:41
PE Imphash
d4f4fd42d30a645026590a2d5428530d
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x0001988c | 0x00019a00 | 7.625999178074499 |
| .udata | 0x0001b000 | 0x00001888 | 0x00001a00 | 7.715293173702624 |
| .ydata | 0x0001d000 | 0x000008aa | 0x00000a00 | 4.0936667783808875 |
| .rsrc | 0x0001e000 | 0x0000049a | 0x00e8d400 | 3.9271016990476575 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_RCDATA | 0x0001e060 | 0x00000400 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library dbnmpntw.dll:
• 0x41d2c4 ConnectionVer
• 0x41d2c8 ConnectionClose
• 0x41d2cc ConnectionWrite
• 0x41d2d0 ConnectionRead
• 0x41d2d4 ConnectionError
Library crypt32.dll:
• 0x41d2dc CryptFindOIDInfo
• 0x41d2e0 CryptEnumOIDInfo
• 0x41d2e4 CryptMsgUpdate
• 0x41d2e8 CertFindAttribute
• 0x41d2ec CryptDecodeMessage
• 0x41d2f0 CryptMemFree
• 0x41d2f4 CertCreateContext
• 0x41d2f8 CertFreeCTLContext
• 0x41d2fc CertCreateCRLContext
• 0x41d300 CertNameToStrW
• 0x41d304 CryptMemAlloc
• 0x41d308 CertGetNameStringW
Library kernel32.dll:
• 0x41d310 GetModuleHandleA
• 0x41d314 GetStartupInfoA
• 0x41d318 GetSystemDirectoryA
• 0x41d31c LoadLibraryA
• 0x41d320 GetStringTypeW
• 0x41d324 GetCurrentProcess
• 0x41d328 lstrcmpi
• 0x41d32c CreateFileW
• 0x41d330 CreateFileMappingA
• 0x41d334 lstrcmpi
• 0x41d338 HeapFree
• 0x41d33c OpenFileMappingW
• 0x41d340 FindFirstFileW
• 0x41d344 OpenMutexW
• 0x41d348 OpenWaitableTimerA
• 0x41d34c GetTickCount
• 0x41d350 CreateMutexA
• 0x41d354 GetProcAddress
• 0x41d358 SearchPathA
• 0x41d35c lstrcmpi
• 0x41d360 LoadLibraryExA
Library advapi32.dll:
• 0x41d368 RegCreateKeyExW
• 0x41d36c LogonUserA
• 0x41d370 RegEnumKeyW
• 0x41d374 RegDeleteValueW
• 0x41d378 RegRestoreKeyW
• 0x41d37c RegLoadKeyW
• 0x41d380 RegReplaceKeyA
• 0x41d384 ReadEventLogA
• 0x41d388 CryptSignHashA
• 0x41d38c RegOpenKeyW
• 0x41d390 RegUnLoadKeyA
• 0x41d394 InitializeAcl
• 0x41d398 OpenEventLogA
• 0x41d39c RegSaveKeyA
Exports
| Ordinal | Address | Name |
|---|---|---|
| 1 | 0x4054dd | kilq |
L!This program cannot be run in DOS mode.
`.udata
@.ydata
)Oz% H)RD$A
tXj^!V
P!jxPwC
+]}md@z%mWx$uM
H%HIHMHQH
}H1,yw
AH;9^zfq^]=YkgY8#o
zH):>2)F
gMgm\Ynn
'MVf}d'MNf'MJiMf
\n\`ut
LW.YEu.]M
r~KirT
""">":"
"r"N"J"f
"8"<"@"d"
"."*"F"b
"(","0"
^0Kl$6rMH) Wn
D/BP\D
!2Gs2#)HQ
j}'+vr%!
}B-p&&b
c+hX^)B+U0^+
Tw:.EH8L|
mVKWClwR-
52=C^d
8<2BRJ*<D %~ZZh
q?X_ebm
5BBTD0:
r+I>&PhD*J\
HsrR)3f
fJIx&H_
N[,1.M
r>@'ry>
{ EvQDV7}n
*Vp:C{Oq
SZaQgKX
FJd0VH
E.cL0943ideFZt3
M= D}*Y)
j0#9$9
B,Q/u&/
-hk{uW$
o)!H3B=
\}z o<,t,
Q^!liX1^J
CoxV~[=
r]D<Y"
U^Gg n
d)6Vh)fs"
|'\7 .^
0ut8wFoAX8#mzy<
9W{RYvvb
jOG-?q#
,dm%8Cpd9N
9n~`")Vrt
5n*nWd-
nJuW_P
~qw0AI
A=M<$'t
j:+-P
ZsYy=9!9OR
;L~bz.U2
Jjm9M^9$"0)0p
dc_7NtRo
(qFCTp3
> ,XN"
xr2TqfBo*
}Unh s
?_oY6$\
N6h4(s`MSE_
GI L]V-@
|6krOY3
Z .( N-g]
^m3gip
Ym%NP*QR
.AnU:H7
g+RD@jh
v}B0=DqnIb#gDUE
O5U:6.57
@svXi[\
9--TL}k#;xs+s
f;zo#-bg
}*T7$f
9e01TqcV
.@&" .-q
03\|=%dr%
I$xPWx!
[\^,p>]
W>ZaX /
=0>7~B> 5&
}$?Et~>
#+7g99
`j!pc"X
0tGqN3{
Y{n?m\
q:^Qs>\lQF
f2 ~'*@%i
!n#6cGx./'AN'g
s/)/38
;Q,^D*
!@/aDdoA
1W?Ip#d:^,Pes@"[2
"ljY<SP ^_q]bd/"%
8u&$G~'bn
C<\_/.
9hEs?w+
aGSDnze
hBVzA^"}=h0
oxhoJd~
A{{vEOvn
vqVO8Js
U!x6}Nv`^Q4
muKy>)Eh
;dcIfFeuBy]M
L':XOLG
aIWA&n3
`WGI9{/H
(mA:A,D7%N,
MR)\>&I!
A9--G.
(GoRMwS
A|G#{.|"AoF(
Y~X1yM
.6)9.<
0M A:oG
:ElI 9
V0K/Fp0VnvDHa+
{`xH`44
&R-O`&=wD
X,hDDF
9]2Xj_$
#Me40?
(iy(oA
R"g"V%
}:_MPyu&?fK&;g
'Xy)o~
%dygG_,:l
9L~]0c*
>mUe-[/k,*
SjNXpwc
p; 0G-
@\FS#^l
G^m$D*
2d@piL6C
p={)8|M%
'[:f"<
PX#>6!)J?Cskm&Y,
OCvw7l
=D0~(H';DmS}!iI
qdnG*R1zk.
Nn:]1y;Zx[i
QtD~.]
&#u6^/>
a9 4;k2-FT
d@@W<F
KQqHrK
:z'ksy
m|[=P|O
g3A:*Rc
FYG<s*
&Ig===
n|"2e#B"=
Y!&Nm/
`&E/whb
o0sL9vD6Y6b
2#<7-{f
XCeZ-K
g3 -^; YBJa
tZWWp\
'P#!+4
rXd.j.1
Mr0EpP
u,BC+ka}J
sc-=xt
qdd|LgH
cADL)v
lCa<zHw&=
d;Gj:|C/2\+&Z
#v7o:TF
al6wBn['t
8Fh*!u)
r^Di+TI]v_z
F:+Yaz
f<y|yg5^P3L$5
KAv1lc
yp]6i<
)yiuH}(
X70BrZz
9Z5~J#
Df|0GW
PrcBTPjb+E
>|o>S~
Swezw5
-IpEZB
\5s([YiMR5{LoM~G
-Mx.;=B
Tyl=@\4
l`YnM~D
X~<J N`B?\
R*c>}_k;"
yoY7\x<
GdJvg6N%
`L67<)Y
kw+vC+]QN
$dxWxH
| $];O
skgvTD
nZkk2>|P=$)
e#rheN9}x'"<N$
jS?_Mo7
?9r&/E
!+:T=V
EFJODbW
!T5Z^{
Kte@v=+xGr?cBXA
ai_b*)PhJ 8[
Ft,m^ET
$@Hirpg
vpEm76R=#
rXGY`1RJLk
*WZt"kV
wx3da i
bJXdacHn
5'o :7Ky_K8zF
_-fA=ls8
h?QZqWb~$q?K]y
6y_ ^VZ
CxG m y
y1jc|~
,U"m]98
"oxatfzi].M=
MW!ddK
KL:/wH{3z
v {H_{
~KfFlZ
)>U:c^O%}*R<*V\
)k,| 'd
+5rm~|MK
3|e1e=WA+30Bf
8v6L/Nj1*]
n|$Y>mP
I^-P$M
:0r/ R
t=[:{A:{v
`1W0<n]
0E\v7Qvnd
.0i#dC/qn?ppyTj
FDim07#
6{w7$i~
"BC>80n[2#
,:h&<$e^
I!^b@m
7,&{LkEF&
R3par5kk'W&E
{jQ'ZK
B;y{$<
ca R!TP
4ka\S~7.
vP^n'5f.
=/ds4R6
:o3]tC
q[2FTHq^;0}6P
Lky;L{t10
qVgu}$t5ff
=fgL'Yc)
~[DLwB
L8R~k'
.Mh~ftU5~<
IR#3][
UAeNP}
phc)Z"d
7f;5b#gcg
$94{Z*y
KzV7^m`
Uajj`,*\zWM-x/lra5R?{rtGP>9ti>oolJy?y
PnK?c/l
n3so>pyBY8'n*q
slnz$7J
x,;Gw=D
B_go/0
/>=a&E
AC@[7$QLH{
KJ=nqa
LLO*$UX
JyB>wm
:ZKh^l.
Hs=1Z7
QN&soCq
oh9>ZK{j
@}\hR|{/:
j"%_6w+[l
)3{es\
)^Y"Cl-;0JVx
OO1mF=Q||R
+aO#Rf
60}wr|&@
{!LENy
:;V]hWeA6Bd
zt":&]A
kiL/[,
K{^G044
{9qg51;7t'
~2W<WVAXFJ3nNyI
O|CM^u^
|<7$=Xbs
E.+G.2
]+_r.=2a&
`Kr?2a:%,qnT8ajE}
!f>tD6 L1y
NSSaIX
Q6G*J +
`{Js0C
KF@XWE
p?@#Q[
F(HG d6T}
?_BrlY4Z
$$Z+ge
=y%b5JM)";~8>
`*V#~!?q
X[r *`@>
[{Trgsc5
<K3 GB,
sI\va7\
q$IE:7}0
!lN1+"
{X\J:)
}why2yh(
kLDV;TJ)C
9uI!>Ucwtg"\p7
y"U\cP5^
#f?X_nOj!K
gyhv<D+[":j
66E- {&
aex#bgIo
Ua|Q[k
,}+lg07RG*
CfD[TNVgDZ
i$:xyK~
atpoBl
+bD4SuP
'xk q|Ke
*s$Az}
%1'#Yef3eT/0!,~*
}j:Du>
C[~iKN
22n}sL
>3j)d<y"
:eRTe;:
l2GeI j
\K/;wtC
S+e:W/
KZ@e+17
y+N0<*"
+pNm)#ha.N B
S~6|=LQg"Ec&0
p PrCOA{s
n*\,5Yn{
M@*r~_
_t$"`Qb
%af5.~?%RJN
.#[s-C.pqX
Cl(H{1
9s42}/
K~fx?A
Q~klL-N
o-mQo3\O}"
R@ts2!@F
]^:[1r
",Ejpc;Vz
vT\^`_ q
i>:|`-fZcp
mBDC\Yt/ -#,^+
8/g&B&}d[Wp!
{!rT3O
HX;Gjm|.3
#hi ^W
/K^eMVZ
O k?9/I=b=
Dv.=!0
&QKgO9
_iz?C1roM[!
1 cBc /!
pxLeW-M3s~*-n
+qd C{;
^O\xsh69'!
K7B__p
{v'<5A
#./v{Dcc*=O`#
h&fk|:
8JDxAeB
b2oHKJ
^S=]oIU
iojK&E
}B,#0g!'3
IIkVHL
p2B"2e-mez4
="\M2C
e@q?4~?>2
8E".{b5
!sgiMe3
,Y:G_q
zqPjzZ"nff/y}\mFMo@#>
resJA!i[<"%]
dHM_~J
#og>91
g!l;.I
f.T/rsk
r1L(.t;
l#-2W*
#W!9]h1
=!&0Rh0
g_4]2s9lk_C~=|
Y6R[DA~
tsG[-~m
"\gdX%z
-B:"$w;
s>o.l&
n?~M7\w
=}g<,M~uw~4}g
{fQrAdg:{ O
Q:(Amm
8)%6.AF^sq
R'$0xf
z`4T\?
*`Ihh^$efbPn#U>^\
qlP4k75T(|
UIH6gW
$zz6t-
z-0zyr
DM2Y#k\X_~p:HD
VQr7N^m
"icQVNgO
z:jLy{
a%Re{O-e([
fd2M\ 4
p3.w.2oa
"d0@szBJf]a\@LlHM
4G:Gc!q6-
u0Fi_9X
KY&~|a'
xs9^IAFj75sU!
C`>p!2
:3{G!P:
b{pQ 2g
OwF67TT$;
c~fiQ+:
0qSU3Uc
Z,KCo[c?
EYOKaS
-J>dF<#x
=6y4|W
mdg4[UpPwH
EF>0pB9
<)g=Z]
4QYQ1oI
!VE{o#;-e
z4z)K/,OC
Duk>K*)j>i*
g}J+)k
n@[wkM6
~1<O>dq
db3Fw4~
tt9DGxA<<
mA\?$o
Ox}R_K'
BM')F={1
&=nl@ng"^6w49(Wy}j
0$[c[#?iY
+fn&m`
pSh61?i
^Q2hU)
?Lm,Dm,\^w
"]iaibaP A`K
{!~\g`
QL;p&[4u9w
XoDfw8
z+H#zaM
MZjq^yW
RJHy79@UEn:
q$PYSh8)T<$
Z "2I1v
{J-I[hA~[
r@~~.%*7
TX@\I0[
Q\Onn>uUO
joc+OyT
$8T4L 61FB(
iHx?~0.
hwu*#01;7/
} LL ?q
p0^8@`7b
&)=9<dsBARu3@
,X<C~s<NT}"4f
{V*jYgg$
WQ05X}7i%<
K[-jk6y!
bXQ"W\.}>~
#q&]lNpU-
u(dhdl QYt
mUKjkgf
m;XCZ?
O]n}w*
HhZ?DoyO^
4NQr`d
t(\R%I
frTTTm
}WTK:}ONL
?(|A~dC>W0
--k0\p`~y0u8
n0A?W0
g,5yTm/[fXLT
&tCvuEshqH[
s($6ZBwLq7
~=pg%PP
z1Kfc^
c#~89}$Le
9Mt0;#~*
wC)ZB=^k1tla
msL<ny
}j>N F
DhPf)Phk`
3+i(A;S "
t*`Fk!'_K
;1v2i[y{ikLf
HOb>8n
ffPbO_R
?de|5N(15
=q0*>R'
ap^S19thh
1IJtw=%
vTPcNNn/#i9E{
~\xLi~(Upb
g{ 'Z;a
%za?+H:(
A>1!_?h>/
appS1si
[[9cgN
_DSvU5!
E)"(wm
vfR'5+y]
p$YxQ?
8lRv^ 1a#c`
&=n~OpN|Ni]4u
2n|{/\_}E R<
g|#2- R
f`,7^0TC\
F"-W`-ci=
uJQt)YS"aRt
mbS#+_s
wd*5d3;5
Ld!W`){_
48VL+tx]
z.rP[N
`r!RK*IGHh
&ZMG5/
zGo*&B
}x+UtlM
qG~unI/9:{?OY
=y[T*y
]R~\Ren
<8HX9o|i]iIB
hc>L])uu4l+7+`Z
=L-X%&
NB|/Nnv
b1m@~g
e{?,*}
v(gzQ9
qzCv@)|
+^poa.-
Ea q7c$
fa.Z/K
7UND|oO.6Rq
WnKyG l8u"=_B2;9
oarp3
!^I"dOB3{
OP_E0=M
PdG~^@VB
r]M8*3Kk*
f\g!nW]_l
!h9yxfy=1
Xc[N6?PBDFQL'~B9LHV+
V}i[Lun
1YHGq]-(l
a5If&G
2$,w];D<;'x
@a%yV8J
=8$yiI0
Bsp@1Nu
b.49pu(Y,ey^k
IL7rOU`g
P;M^m<_*R}S
vR*=_R?
!L~58cy\F2tR
r6``:|,sI
9D>T T$(-
] q C6vwLaa %a
/G0XcT#
{1]=m|p
{;$!B&K <cv
>`13qRp
{U}) IA8K
?Th'!\T@6
sON T_?
,i.0'q&"
@f-CAT
<Ne$oeb
]%yg_#wp
uKDc+{
]VRc"6 ZF
QXi$2E
h5uZo=
3}4r+2}#
aMnd\L
BsHa<6 w?
hpYxA]
-\@?:f|
CmHq|d=l"
e-G .H
VIPx}%]
p"luQQ
lvJP0Hq>]k
gy&"2q
^%4=nd
R. U^/+
Vmmz+`
f`3R6aI\|w8y
epT-cjU|[~$Anv
N'-)[]
F3yrGnE
U 0fs%NT2
n2dV}gI}
uD}weU
I5 d;^!5
a|<Hu.
>8nk-Mvw;6H
+%XvMUdNW#|L:\
ba8rQ|
\J'*5
(O'/=5+\Qn
!c/2M)u#1~,ls
dy,L%{6]
s1j87m
L^hnDui
''8lWy
S^}`OtBn
=og\z%)e
FtsIy\Ioi
.b@<5k
mF7PAGs7vqU;
bE]ov26
w@K6~weQ9r
; l5353fn^pE`i~B'
,1C#(7qg+
'zr>=Mi
6<w{7WwX
^nylNk3
_~z:W.!
nO ,/=W
zdKJ+$i
;=`fp;]Y(%
-Q7w256
I-{l9oZYa
8F\oJ=.X
%n,}}2%~okh>fB_
R&&cgL2a
7c}h)cnZ8
z;Iimr
;?DvNFJ
.LgI+U
b*- #=
9*ZkmfC^-
aES@F?@
|{{q?*
/A[H&#W5eG>lr&
_mVL0"!
0A%_ >"|D
%.T{1}I@3
3+Wk/-f*S2
o/b_%P
#"`)PA8
3-Jr/Q@(
l<gBpT=P
N/8G.dU%0_9+
Ov`oNdiX
6@FmQt,4MA
ylKzx;*4,
wdH-VJp
Uj%\*6.
"cDV'u|
_;6.w3dErHj
FKz@QMKF
@nrp,l-U7
Ts^WdArO
z|caX,4jXJvKRx
f}U\vO-2 R
wFct1,U
e7\mfD]Ui
NsmoUZ6Po;
|<E>`f`
g${UfG9
;FL4MPl
dO|Kl&v
`Z/!- ^2Tdyl
9by)t8rY
k tYyz'
"y(h PHN2H0m1
R5gDw>Rg`4ZRu
y4DWM>o17&
hi?,d>,3<
m,G^&Y
{X*MlP^
_MqB~@
,1M$E<H-]+
h28)0q2PBK<H*t
a|dVjo9s`%/
2'Mdnb
y}R-K=f`$0u
?gC*)@yd;HzMO1D'h
P.#{,_&k
ID9:R_<N
SHvqv7
EdR|[jW
Qcg&z&&|
b&BAMU
HW)WVr
t"R4GW
(#h5daI^tg N
./a/S$
h-8Z\E
/ZXR'#
+b+#gFmq_T2h3iv$di3p
8F0 G,ty
P6Wbt[;S
(z#I\^'l :?)`>!5Pr
!}m@M"
S.`{i]
PHy\>S
<RT|TV
bQ9!S=
ZrA[AE^e
/\1R-pm
xvjV/u^a.}
)Er^#7]=5
&!-wqCXAYSU
FunA4_
hD]/vmF_}
`2&(+5bv?XD
|?g&p-
,>xP\=
[ 8b^J"u
b\vpd7fH
]hOE[Ah p>S
I)Q%{iQ/4W
3)~N<B
^q_fNm
Ev5\w"*(8PAK
&EJsWK%
5tR0S5WatZB0p
C+!C4o/
-ikx@hP@
o[#>]6PP~TFA9s
o|!N<l
o;T|c6Y'
aFF6D@,g
:6gOQm
;!e*)B
(B ;X=
@lWD5v@S?Q[:_~?/7<9
v`@v4pLR
z W^}
vB(Mwy;PV|1t'B7$
y3TFJ<_
x["1usF
cy}z;3>-,
)o,iE] PV{
_pTOB^
bY7NwR)d6`;{b{.P
V8r'R9zHd
mlVu6Oc
j?+{1mZgi'%
xlenfT@d"W!
a8A`Eyw,J#,x 7
$1|p$gEz-3e$',x
K%4T"R
S.^('b
*/#j H
=`{(ZEq:TC
; S(Ad
u;w5N=J
[iXz#x{j
y3wwEH
{-6IlUp++:={
HPibO_PiP
a\|B.!
l@aDWS
z)6H9zx}
~CZ}&@
j +YqkJ?>
j3[!aA
fh,KN~
xC4jwx1K[
P\XeFi5
0WjQ;xC
x.qN)m8bp0CyI97&\
J7g=N#:|
53|k ?%
LZdqNWI
shF~!m_
F0TQ*~d9&g{
cQ&#hB
"gJr.3zwdQ[PPsr
wcii&=gRtB
_"bpn
0mEg`0]z
p'6AuR4
+Tt@F9
P8e]&u<
(+fh*)`
r9kJ:#&
Om (w1R
ntij(8m8s
r<oREs
=?ROdE
:t Fr=c
Ndn:1M]*8/_
W0 aN|O
&X^f\nTd
#{''%b<yY
C=dq&1$B){s^nW:
"~}e?86rq +
F7XW~2M
nN\OSF
wh>J#Qgi?Z"
\##rz):>5
o[+M-(6
iG5'1Wi(~
07'}-7%
:,!s_ m0
w]jWn3(
V"2MNO7
cjk+ E
:p=*+ng
DO[UEk
iy;OQn,
p(+1p|:
i\t<ti
CE|;+=d
3a`=?~l)[R
I{w#=`y2AS&a
o_n..d"X9~
1xkp8d1jb~y
6c]sl$vW[x9
Vp RiiH
X5oSv.p!
i{I+g0
9UT{Gd
t1oPtmO,
| 6##[
P*6C8)&xe(+oD&w<
/j'a-~
d w*nc
|u7/p%
TR)?F(9n6
,!<3I^
xG_+uK
lOt-0Fl/Q
CmBdZxj@qi'j
}+Ghv$6
;'o<iG
?3JFv(<w,
>89<[ !*erY
x!@^eV/
WS)o\\
Ib't[|2
=[wyE'vN{X5
JcOR{*{UD
s)r@vhRK
IyD4&b#{
!8#`!!alOYV&
*p$keeb
rJ1nm6@/A
Jq-1CTxq
h:9zmyVeTcV
Xg;j,p
b5wiU9
4Ep{hBX
Ne%`\zsn?P
,qTD'
p/fJ9:m{2
f-_ D~/
2v"VNm
`#a'fm5P/
Sf#|@b
Lzp"' b]:r
=@Z>)T+d
FHaIt_`
@i1 gXph_)
oeJ}L$,
;n^6WD
T:?poST;|4
IY4}.;F
^<Tl|uI
"Q{Rn~NyQ>y)B
z&``F_<TC.||=<Wxe;FQmw
U2? 2HT
:gUomk
nO[9 k
)86PWsWe
k-s64ud$
~f|mbY_
\i1n(Cv
[2h7+s{}
(kZYs+pS
'^Ie)1Yys8oy
+, ~L9}xXM
km1'k9E{Xtj.
l6YJmx]_
nx9B=!
wT|nVIT]:,G~_[fU
Cx `FnEt2RFs@W
zPqP)\.
6gE&az&
C0RT^S
l v=9!s
~_?lJ'
a^M3%Fe
SQqgZ_
UfW*xek
n_w [i
]7]MTJ
20?f--Wa122
'zr":A
j)k-M{b/P+
_:4Do..
D3!F+
|T+}b9<\}
d1+g-"S
YO!qQO"\
U}s,hA$
z%d`pszpI,
^,?5Tx
uv6A<;kHC,Lqs
a]7seaXXU
Lejf*Tk`ops[/
M@:,wVJx(pJ[*
jrY8grXj*
dC<czkv"
( Yvrl,0f
F]fxZoV9
> r9]L]ouJ_4
P19q0p.
-)1q>CJ[
9vx81<7
$bVMpCW
av6 "|
^2e@Dx'b9Qw|
=|r}sS7`g
id`!$R3Lpu`
oag[K^O
rp3<{N]
hj=13%
hZ9bxD!
|Vd_qdD
CgUyux
c{4D{G
p+ e1-`/,
oT6^eNW
*_RFy`
)W:^k7K
[`7<{V
3iUG.) h{vsIH
8.[#T8
@MlKY9@
w4O6C]6V
0Nur|>-O
}m,+p<0{qZ.
?*oI&(\X
nN/en f
4+aM0'
(p}>nBU\
&sgfY'
%o>a1q
<jl\]<d (^2h
=ZFtytD
'4&u:*u
*mx,b*
$jyt=h
dMB63I
p >5H9!Qx3
{lqSr$#$
-Ev 6p?2 E8,*
M>QZDL
$jnHsJ~%
9PU_ <
|O7!&?g"r#Uu:i3
[3IFzM:
6[1o-PX"DB(
A%R[7|PyN
l4:(@%.U
?1;Rrs6j
loy;n68v
w{7owI;!
1K0vIj
:^#&mh)g`hK)OR;}'_QKd)^s
9h/S&a6
7Bj4hd>g
SMvpZED
Z@<UD#H|qF!IK4 t
1V1-?7-oeZ
GU#C9]
7c2Q(
%$:417EE5(
${Nhq8c
N;%+-)
1?pjkq;*Yi]:sQj
#J$"x?
riW@(u6?lj%
6)?GQ*_IP
n RF<h!
-%[!){
"nah(q1
q\/rt~
H$@s|XrSX[NbL
gA>yyqx\]lI
`Y!38Y`J
Nw4J5P'8
5|.*Q;_
387?k\1
_yMU Kv})R<u
*/C#FbJ;o=
LXv4!u]vlvm
:8!~ L7
JTf*M{
{It[5#it9
L9gmK.r
F6o9.+
~9$McWfL
&TJ3t_y
5,4?>q
Y[?23p2
Q!`~91
m7X,k<'l^d
XV][L:sw3q5~d
'M(iWT
E$/I:2{
[bjc#*6r/+zf
Qhthk{ T<#a
>5LtGDcj
^CJl_#j!tp
Ntlz^; ]oAzet(WA5jf
Xn9?g2_
6~>UpW
WBtH>
b8&n!f?
`}s 0L
Dhy:?)"V
euN$l[i
PQp#U4q~
wQeU@YdHP
IL65~,;&iM
ulNe^'6u-I
NW"xE)6
^+$ehaic3\^
AV[Is\
ZK h{[1f?>3xx
[}b?u@vG:
%3IKy8
Ef_Y5]N<!
P>yC7qCMq
OB=Oz};O
;g3I6%?
=&`okQ:y
W(!HIbj
~pS(b.d&
bGhYqr
]CDBRC
Yh{0^qBJ(
[d+xmWLK
'xO6DxYJ1
SIVx@IE
M/w,Y6.
6rGseKDu
m6[FcpdO
@S[h+1,
QZ8!t`+y
Sc<8rM xiC,Bj
O9\w~ D
WH4xarY:{Z
tdsEy7
a_laz}fT
M.NG|YI.8o3\S
_:kJc*
=}j/?,!%k
Op9]xt_!`
k[4mut[}|)
H(Dm{XEx
5@hu&l&Ygl&]gl&agl&gl3&gl
&gl'&glC&gl_&gl[&
gl&%gl&Igl&Mgl&Qgl
&gl#&gl?≷&gl
&gls&glO&glK&glg&gl&9gl&=gl&Agl&egl&gl/&gl+&glG&glc&gl
&gl{&glW&
gl&)gl&-gl&1gl&
gl&ygl&}gl&Sfl&fl
&fl'&afl&fl-9)#dklA-
ol1sl 5wl
<A|l <5|l+<U|la:?3d
l#=Q-f
li]aM lWac]#lGeSm'l
i+lm/lq3lu46l9
6lsv16l
v99lQ`{
ClGnSl%l
lo-Aul
li6Sbl}N[lD
ml)l0~l]'l5=alAEilM
QlQZAlaseAsz
zy_zQ1
z:-bzP1bz*I{z[
q/RD}&jC<
tT:/?:
G>>-&[~jfeIh
bHkis#E
BBh_p)#
den$Hi'N[%'5v
V'uMI#
?<3J=>0?
~oSGHpO
,M2Fo<
tlCtC?<
d&kn/E~zVd9.
._bLh>
.DJeD4vCKq9
!lDv[tA58'W=eP
&DoT9%
}Bn U#
vlcS*)orh\N
RVp9!I(|rH& -
4A#B$yC
lt %gjvj
0souY5kto|NM:s
xqXL"5hca
9SQs2X-#w.oU
C <p#:>@na/I
X+7>hr
zaFpBTjR
4Jmi52p
BcX(|zElp
QC3c0`WmWtk
gm9=ci
en>-m&1
x@&v0m6{
eTD{-X
w[i!xN%ALX
'Vn[Hl<Y:v
,Z0V}W*SZP,PK]X<
L~V]uUZoHYXq
<Lz$x/-
iXPlQCVRS\6M?d3
nt4Y[Luk1#UzR~Q%s
~IX\_[n
MrI3.jro|
;O)|}9b
V98zx=w/I,
16Zd*}X
db$K_$Cg+i%Q[&dY'
(p`)v^
c*gY>,<p~
{ZxX% ]4NU>
nc2,+]
N*=&m,3
0 }v5U
4BP43^a
.TzWT}
L5CdW1
9,kNH#
U\(WYPE
EqDv?;[
JAV5S:A
(b|l/Yf -
t{x_>;6S
(T|_==<QCa%$
(L:bUfTd'
x!`VN2R
PK qQD
O;\}a3O"/@Lh
*"/Jir!
%tlj1~zQ
CmG7~I"OjF@(-R;B
B>d #D2Z
m\vT_ dHWHV$/P
t'$S].%~hf"X*m
n@$vUP!r=
}cQ'lE
$gyiPy
3QA`=SF B
9aSa|#NbS|#
eSE'OiS(KiS
qSI3uS47uS=6
vS_265uvSG7
vS6UwS
SS%SqySq:SeS'w)S[w
S%SqSAS
SuS[5~SQS
KSSYSmCiS]5S#
3F\Pgm
%u.gPwz)
kP]-O>nPij.
nP/.nPs.1nP
.:qPd3
yP_+8F
}k)<FQv|{<F}Q<N}w<0}
<A}<L}6<}Z<}a<F|
=F<13]
>Nc|R`REC`-TDd
6A3v&@2S7
nB9\6[
G /S\y
[fim8X}^Ka'&
Ev1,L@N/
'V./}pHfR
/%|m05D]<
:bahs<_V
Ja].#,
t4I\x8Ju;
g|pfYe{/Un
CZ2v2d
R;6!-v
` YU[z
?G4o3!34)
Q:xqsu~/G/K
%$g?i)|LWt
`D P}<B3
$_^Rm9
y5K`}&
b;+lznDL
yhcBY>
v|P2a'@]B#
ZMX8-w
]U %+)
vPQ#cDnt *
oq`yUBO}&y~
!-IKDE2s& 9+
BYmX73f 1|8lc-b+
$/>e>&
I'f9\3
,L?m9"x8A
UL &p-
%=01o?*"
8yxRaH!&
N=ywh6b<<Q&
..bI5!r
i|PI+AW
`ad7S aad=S aadcS aadSS aad
S aadJS aadfS aadS 9
.).-.1.
w.7K m
}OCO}O_O}O[O
~OL%~OLI~QQP6Qm02XKg
2y"?aj`
'#,fg2
fW+K n,D
*,2lms
e,IlSo*C-Em
XpaG1Zc8WB
it4 Qh;J
ZD$!5znW"
oCE.J!ji`/=
>.&lS%
2z1iM~
b/jX,<
MF#kI!g=+K
=h{E#o
YmFQ,Pl
yLuJzn
/Cy^K&-:>
3$T:Lc=
{^wZ/Y]
>O(enr
mjna}L])k
CEDxO4&
;e]6&P
f+4}1_ag
wogbgG
DZDx.-DDjDfrDD
KZL4RaM
h~qN MYk+1^IQ
_l?U{&
q{e_B_
}g-bH2y3*mvKU6%
{W"j8**b
xJr.$8>(
~u=[L SYdp
<;}l882AB*GH
Mj3f52m-
aJXgQAb/*V
%0H+UY
w849,^C?lkU
RrWF&~:J
uH"@;H`"
Tb7 !D!au.
?]5mZUOT
n2-5DUA
Va-K<ATKe]A
O>#D^D
xV$|%{l
=!u*-'
_c"X7R
1|2Sk;
&zM5fUJ
vM:^k.A(o!
c! ]`ZnH6+c a
L|,CVm
/8Te|T+
#')clb
qF2<fY,
j&4Rft8
;pzT8W
7N1OT(,
^3JJZ2yW
y(%mih[!
yju&k\aC.
lv8]5d_%
xH0'8P%C%8Nd
/gcY$2Y
"vJhR z
IS KNad
&Pj|2%f
U*/|/`=
[KKrN3
unma.ocx
H%HIHMHQH
}H1,yw
AH;9^zfq^]=YkgY8#o
zH):>2)F
gMgm\Ynn
'MVf}d'MNf'MJiMf
\n\`ut
#&0l|)9z#N
MJM}E/<
]XXXX?L [
NIu^8~8e
jnCl|2tPO
R`{y$K0Q_[]
Qt3h\,z
Fzu|utf)p8
u#6^.,unyo@E
dr;aMZ
KQ0OY|P}
G,{p[NqH9tI
W#V7]D ql
fM)M@"MV
lk|!i}E
x/t*vj
?>79=Fz;@b
FqFFFqFqFFFQFQFFFQFQt1<
6s8d?P|WN
r;1d<ja>
yl(0uQ!}8{t
QH?sy}cM'@4&@4*<~;Rc
'3aRUp.IN
C?H..]8X=
d+Tr{8
Y2&rjKA~
rSr+O8
z`1oqRtu
AN.Z9l/`;S.
[%+;K(9*F5&O7 B''&"e
@Jc"]PsW7
H%HIHMHQH
}H1,yw
AH;9^zfq^]=YkgY8#o
zH):>2)F
gMgm\Ynn
'MVf}d'MNf'MJiMf
\n\`ut
LW.YEu.]M
r~KirT
""">":"
"r"N"J"f
"8"<"@"d"
"."*"F"b
"(","0"
^0Kl$6rMH) Wn
D/BP\D
!2Gs2#)HQ
j}'+vr%!
}B-p&&b
c+hX^)B+U0^+
Tw:.EH8L|
mVKWClwR-
52=C^d
8<2BRJ*<D %~ZZh
q?X_ebm
5BBTD0:
r+I>&PhD*J\
HsrR)3f
fJIx&H_
N[,1.M
r>@'ry>
{ EvQDV7}n
*Vp:C{Oq
SZaQgKX
FJd0VH
E.cL0943ideFZt3
M= D}*Y)
j0#9$9
B,Q/u&/
-hk{uW$
o)!H3B=
\}z o<,t,
Q^!liX1^J
CoxV~[=
r]D<Y"
U^Gg n
d)6Vh)fs"
|'\7 .^
0ut8wFoAX8#mzy<
9W{RYvvb
jOG-?q#
,dm%8Cpd9N
9n~`")Vrt
5n*nWd-
nJuW_P
~qw0AI
A=M<$'t
j:+-P
ZsYy=9!9OR
;L~bz.U2
Jjm9M^9$"0)0p
dc_7NtRo
(qFCTp3
> ,XN"
xr2TqfBo*
}Unh s
a2tgerapufdgarenaumkila
adbcbcp.dll
accc___ce_s__ory
kernel32.dll
edii_llAlloc
tiqjngkbukjgtggd
bzwxuchwtc
ConnectionVer
ConnectionError
ConnectionWrite
ConnectionClose
ConnectionRead
dbnmpntw.dll
CryptMemAlloc
CryptFindOIDInfo
CertCreateContext
CertCreateCRLContext
CertNameToStrW
CryptMemFree
CryptEnumOIDInfo
CertFreeCTLContext
CryptDecodeMessage
CryptMsgUpdate
CertGetNameStringW
CertFindAttribute
crypt32.dll
lstrcmpi
GetStringTypeW
GetSystemDirectoryA
CreateFileMappingA
LoadLibraryExA
lstrcmpi
HeapFree
GetStartupInfoA
lstrcmpi
GetTickCount
CreateFileW
LoadLibraryA
FindFirstFileW
OpenFileMappingW
SearchPathA
GetCurrentProcess
CreateMutexA
GetProcAddress
GetModuleHandleA
OpenMutexW
OpenWaitableTimerA
kernel32.dll
CryptSignHashA
RegLoadKeyW
RegRestoreKeyW
RegOpenKeyW
RegSaveKeyA
RegReplaceKeyA
RegUnLoadKeyA
RegDeleteValueW
OpenEventLogA
ReadEventLogA
RegEnumKeyW
LogonUserA
InitializeAcl
RegCreateKeyExW
advapi32.dll
Process Tree
-
0ad3664011cff4747cb6eec63fdf4f18743e8b050d13f9a148f65abf7dc6f85f.exe (2996)
"C:\Users\Administrator\AppData\Local\Temp\0ad3664011cff4747cb6eec63fdf4f18743e8b050d13f9a148f65abf7dc6f85f.exe"
- sc.exe (2124) "C:\Windows\System32\sc.exe" description hesyapcx "wifi internet conection"
- cmd.exe (1852) "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hesyapcx\
- cmd.exe (1988) "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\ADMINI~1\AppData\Local\Temp\mznqssqd.exe" C:\Windows\SysWOW64\hesyapcx\
- netsh.exe (2612) "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
- sc.exe (312) "C:\Windows\System32\sc.exe" start hesyapcx
- sc.exe (1140) "C:\Windows\System32\sc.exe" create hesyapcx binPath= "C:\Windows\SysWOW64\hesyapcx\mznqssqd.exe /d\"C:\Users\Administrator\AppData\Local\Temp\0ad3664011cff4747cb6eec63fdf4f18743e8b050d13f9a148f65abf7dc6f85f.exe\"" type= own start= auto DisplayName= "wifi support"
0ad3664011cff4747cb6eec63fdf4f18743e8b050d13f9a148f65abf7dc6f85f.exe, PID: 2996, Parent PID: 2400
default registry file network process services synchronisation iexplore office pdf
cmd.exe, PID: 1852, Parent PID: 2996
default registry file network process services synchronisation iexplore office pdf
cmd.exe, PID: 1988, Parent PID: 2996
default registry file network process services synchronisation iexplore office pdf
sc.exe, PID: 1140, Parent PID: 2996
default registry file network process services synchronisation iexplore office pdf
sc.exe, PID: 2124, Parent PID: 2996
default registry file network process services synchronisation iexplore office pdf
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
| 20.112.250.133 |
| 43.231.4.7 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com |
A 131.107.255.255
A 131.107.255.255 |
131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
| microsoft.com |
A 20.231.239.246
A 20.76.201.171 A 20.112.250.133 |
20.231.239.246 |
| microsoft.com | MX microsoft-com.mail.protection.outlook.com | 20.231.239.246 |
| microsoft-com.mail.protection.outlook.com |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51758 | 114.114.114.114 | 53 |
| 192.168.56.101 | 52215 | 114.114.114.114 | 53 |
| 192.168.56.101 | 62361 | 114.114.114.114 | 53 |
| 192.168.56.101 | 62361 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 43.231.4.7 | 192.168.56.101 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | b205a820c2406ff3_mznqssqd.exe |
|---|---|
| Filepath | c:\windows\syswow64\hesyapcx\mznqssqd.exe |
| Size | 15.0MB |
| Processes | 2996 (0ad3664011cff4747cb6eec63fdf4f18743e8b050d13f9a148f65abf7dc6f85f.exe) 1988 (cmd.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 57838c82b5a392dda5027e4eb10a1938 |
| SHA1 | b46f117cf16cb147a0d24227e3ae37a7e29ea1e4 |
| SHA256 | b205a820c2406ff34d3f13283c06c7430b9ed8f6a8c48acaadd0b7575c20f5cc |
| CRC32 | 035F39DB |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.