Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe
|
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_30f3736b47cfb9d1de897e1dfe0f23861ec6a4_8a5a6b8f_33faa546-2f18-40b2-844a-dde5791fff97\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER37D9.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Apr 25 03:30:45 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3818.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3848.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe
|
"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe"
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 232
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://www.59tou.com?scV4.1.0.0http://user.qzone.qq.com/
|
unknown
|
||
|
http://www.59tou.com?scV4.1.0.0
|
unknown
|
||
|
http://farm.qzone.qq.com/cgi-bin/cgi_farm_buyseed?mod=repertory&act=buySeed
|
unknown
|
||
|
http://bbs.zouboke.cn/NCVIP/SCVersion.html
|
unknown
|
||
|
http://show.qq.com/cgi-bin/qqshow_user_infoname=uin=
|
unknown
|
||
|
http://farm.qzone.qq.com/cgi-bin/cgi_farm_buyseed?mod=repertory&act=buySeednumcName
|
unknown
|
||
|
http://farm.qzone.qq.com/cgi-bin/cgi_farm_getuserseed?mod=repertory&act=getUserSeedcIdD
|
unknown
|
||
|
http://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&hide_title_bar=1&no_verifyi
|
unknown
|
||
|
http://show.qq.com/cgi-bin/qqshow_user_info
|
unknown
|
||
|
http://www.clamav.net
|
unknown
|
||
|
http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=scarifycodedirection
|
unknown
|
||
|
http://ptlogin2.qq.com/getimage
|
unknown
|
||
|
http://farm.qzone.qq.com/cgi-bin/cgi_farm_getuserseed?mod=repertory&act=getUserSeed
|
unknown
|
||
|
http://ptlogin2.qq.com/check?appid=353&uin=
|
unknown
|
||
|
http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=planting
|
unknown
|
||
|
http://user.qzone.qq.com/
|
unknown
|
||
|
http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=scarify
|
unknown
|
||
|
http://www.59tou.com
|
unknown
|
||
|
http://ptlogin2.qq.com/login
|
unknown
|
||
|
http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run&uinY=&uIdx=http://nc.qzone.qq.com/cgi
|
unknown
|
||
|
http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run&flag=1
|
unknown
|
There are 13 hidden URLs, click here to show them.
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
ProgramId
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
FileId
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
LongPathHash
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
Name
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
OriginalFileName
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
Publisher
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
Version
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
BinFileVersion
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
BinaryType
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
ProductName
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
ProductVersion
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
LinkDate
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
BinProductVersion
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
Size
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
Language
|
||
|
\REGISTRY\A\{6b72ed7f-537d-802e-2860-d2f00b2cfbbe}\Root\InventoryApplicationFile\securiteinfo.com|2949a60e9eded5f7
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
4E3000
|
unkown
|
page execute and read and write
|
||
|
401000
|
unkown
|
page execute and read and write
|
||
|
54B000
|
unkown
|
page execute and read and write
|
||
|
4E3000
|
unkown
|
page execute and read and write
|
||
|
567000
|
unkown
|
page execute and read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
400000
|
unkown
|
page readonly
|
||
|
8A0000
|
heap
|
page read and write
|
||
|
19E000
|
stack
|
page read and write
|
||
|
514000
|
unkown
|
page execute and read and write
|
||
|
401000
|
unkown
|
page execute and read and write
|
||
|
54B000
|
unkown
|
page execute and read and write
|
||
|
8AA000
|
heap
|
page read and write
|
||
|
1F0000
|
heap
|
page read and write
|
||
|
567000
|
unkown
|
page execute and read and write
|
||
|
9D000
|
stack
|
page read and write
|
||
|
6F0000
|
heap
|
page read and write
|
||
|
514000
|
unkown
|
page execute and read and write
|
There are 8 hidden memdumps, click here to show them.