× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
File name: fd6c69c345f1e329_svchost.exe
Detection ratio: 57 / 65
Analysis date: 2018-11-20 10:12:51 UTC ( 1 day, 3 hours ago )
Antivirus Result Update
Ad-Aware Trojan.Zbot.IVF 20181120
AhnLab-V3 Virus/Win32.Ramnit.R205005 20181120
ALYac Backdoor.Zbot.al 20181120
Antiy-AVL Trojan[Packed]/Win32.Krap 20181120
Arcabit Trojan.Zbot.IVF 20181120
Avast Win32:GenMalicious-GOW [Trj] 20181120
AVG Win32:GenMalicious-GOW [Trj] 20181120
Avira (no cloud) TR/Crypt.XPACK.AB.1 20181120
Baidu Win32.Trojan.Ramnit.e 20181120
BitDefender Trojan.Zbot.IVF 20181120
Bkav W32.RammintDropperNNA.Worm 20181120
CAT-QuickHeal Trojan.Ramnit.MUE.R4 20181120
ClamAV Win.Malware.QBot-846 20181120
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20181022
Cybereason malicious.7193ce 20180225
Cylance Unsafe 20181120
Cyren W32/Ramnit.UNAX-1410 20181120
DrWeb VBS.Dropper.128 20181120
Emsisoft Trojan.Zbot.IVF (B) 20181120
Endgame malicious (moderate confidence) 20181108
ESET-NOD32 Win32/Ramnit.A 20181120
F-Prot W32/Ramnit.X 20181120
F-Secure Trojan.Zbot.IVF 20181120
Fortinet W32/Snocry.JQ!tr 20181120
GData Win32.Virus.Ramnit-Main.C 20181120
Sophos ML heuristic 20181108
Jiangmin Trojan/Generic.beznk 20181120
K7AntiVirus Trojan ( f1000f011 ) 20181120
K7GW Trojan ( f1000f011 ) 20181120
Kaspersky Packed.Win32.Krap.hm 20181120
Kingsoft Win32.Troj.Krap.hm.(kcloud) 20181120
Malwarebytes Worm.Qakbot 20181120
MAX malware (ai score=100) 20181120
McAfee PWS-Zbot.gen.pq 20181120
McAfee-GW-Edition BehavesLike.Win32.ZBot.qc 20181120
Microsoft Worm:Win32/Ramnit.A 20181120
eScan Trojan.Zbot.IVF 20181120
NANO-Antivirus Trojan.Win32.ULPM.dlsptx 20181120
Palo Alto Networks (Known Signatures) generic.ml 20181120
Panda Trj/Krap.Y 20181119
Qihoo-360 VirusOrg.Win32.Ramnit.K 20181120
Rising Trojan.Win32.Ramnit.o (CLOUD) 20181120
SentinelOne (Static ML) static engine - malicious 20181011
Sophos AV W32/Ramnit-ET 20181120
Symantec Trojan.Zbot!gen9 20181120
Tencent Virus.Win32.Ramnit.efg 20181120
TheHacker Posible_Worm32 20181118
TotalDefense Win32/Ramnit.NFTMJbB 20181118
TrendMicro BKDR_QAKBOT.SMC 20181120
TrendMicro-HouseCall BKDR_QAKBOT.SMC 20181120
VBA32 Malware-Cryptor.Win32.073 20181119
ViRobot Trojan.Win32.Z.Zbot.56320.F 20181120
Webroot W32.Malware.gen 20181120
Yandex Trojan.Kryptik!P4PzTd0t6I4 20181119
Zillya Adware.OutBrowse.Win32.104455 20181119
ZoneAlarm by Check Point Packed.Win32.Krap.hm 20181120
Zoner Trojan.Zbot 20181120
AegisLab 20181120
Alibaba 20180921
Avast-Mobile 20181119
Babable 20180918
CMC 20181119
eGambit 20181120
SUPERAntiSpyware 20181114
Symantec Mobile Insight 20181108
TACHYON 20181120
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
2528-6142

Product люзанх
Original name nedwp.exe
Internal name фжзрюкшэщ
File version 106.42.73.61
Description BitDefender Management Console
Packers identified
F-PROT UPX
PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2008-02-12 11:02:20
Entry Point 0x0002C030
Number of sections 3
PE sections
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
DragFinish
WinHelpW
Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
RUSSIAN 2
PE resources
ExifTool file metadata
UninitializedDataSize
122880

LinkerVersion
7.4

ImageVersion
8.1

FileVersionNumber
106.42.73.61

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
BitDefender Management Console

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
4096

EntryPoint
0x2c030

OriginalFileName
nedwp.exe

MIMEType
application/octet-stream

LegalCopyright
2528-6142

FileVersion
106.42.73.61

TimeStamp
2008:02:12 12:02:20+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
106.42.73.61

SubsystemVersion
4.0

OSVersion
10.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
SOFTWIN S.R.L.

CodeSize
57344

FileSubtype
0

ProductVersionNumber
106.42.73.61

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
PE resource-wise parents
Overlay parents
Compressed bundles
File identification
MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
ssdeep
1536:Q+hzRsibKplyXTq8OGRnsPFG+RODTb7MXL5uXZnzE:bROzoTq0+RO7IwnY

authentihash 99dc4b0f55eed36a83a5dc3c5fd6fa5ed273fc25e48941cdf45e180d89a41f85
imphash 500cd02578808f964519eb2c85153046
File size 55.0 KB ( 56320 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (31.0%)
Win32 Executable (generic) (21.2%)
Win16/32 Executable Delphi generic (9.7%)
OS/2 Executable (generic) (9.5%)
Clipper DOS Executable (9.5%)
Tags
peexe attachment upx

VirusTotal metadata
First submission 2010-07-30 21:00:35 UTC ( 8 years, 3 months ago )
Last submission 2018-11-20 10:12:51 UTC ( 1 day, 3 hours ago )
File names GameSrv.exe
potjeokc.exe
qlaaykaw.exe
fastbootSrv.exe
kpkxcwyg.exe
fd6c69c345f1e329_f1f147b6ad3bd539578c3a2e4ebaf26b06925c64srv.exe
fd6c69c345f1e329_591118a57a0fa90cbfc3f009260ccf4499d5b36bsrv.exe
fd6c69c345f1e329_rundll32srv.exe
ClientSrv.exe
sampleSrv.exe
ff5e1f27193ce51eec318714ef038bef.exe
fd6c69c345f1e329_2adbe31256057526532faf7108da1f49cca6304asrv.exe
ofyajwkr.exe
desktoplayerSrv.exe
HashCalcSrv.exe
bkwefphm.exe
pieoxkxk.exe
fd6c69c345f1e329_38277a66df14acd4ddf294b917d90f1fba006618srv.exe
UsbFixSrv.exe
TibiaSrv.exe
fd6c69c345f1e329_f696789aa25c1e37b834f59669832c14afc78e75srvsrv.exe
DESKTOPLAYER.EXE
fgsiwxpg.exe
=?GB2312?B?sNfSz834sLJTcnYuZXhl?=
fd6c69c345f1e329_f0bf26cca8558d75e3671c3fa71efdd06ccdcd51srv.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Copied files
Deleted files
Created processes
Created mutexes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.