VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00纯阳武神
file size: 559888
file type: application/x-dosexec
MD5: a048fc488cf525b14bfa4d91c4016d08
sha1: 2ed16f57800263bae3cad5bf479c036df9b699cb

 CreateProcess

ApplicationName:
CmdLine:
childid: 4396
childname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
drop_type:
name:
noNeedLine:
path:
pid: 3804

 Summary

buffer: 0
processid: 4396
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1618729237292_a048fc488cf525b14bfa4d91c4016d08_RASAPI32
type: REG_DWORD
valuename: EnableFileTracing
buffer: 0
processid: 4396
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1618729237292_a048fc488cf525b14bfa4d91c4016d08_RASAPI32
type: REG_DWORD
valuename: EnableConsoleTracing
buffer: 4294901760
processid: 4396
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1618729237292_a048fc488cf525b14bfa4d91c4016d08_RASAPI32
type: REG_DWORD
valuename: FileTracingMask
buffer: 4294901760
processid: 4396
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1618729237292_a048fc488cf525b14bfa4d91c4016d08_RASAPI32
type: REG_DWORD
valuename: ConsoleTracingMask
buffer: 1048576
processid: 4396
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1618729237292_a048fc488cf525b14bfa4d91c4016d08_RASAPI32
type: REG_DWORD
valuename: MaxFileSize
buffer: %windir%\tracing\x00
processid: 4396
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1618729237292_a048fc488cf525b14bfa4d91c4016d08_RASAPI32
type: REG_EXPAND_SZ
valuename: FileDirectory
buffer: 0
processid: 4396
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1618729237292_a048fc488cf525b14bfa4d91c4016d08_RASMANCS
type: REG_DWORD
valuename: EnableFileTracing
buffer: 0
processid: 4396
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1618729237292_a048fc488cf525b14bfa4d91c4016d08_RASMANCS
type: REG_DWORD
valuename: EnableConsoleTracing
buffer: 4294901760
processid: 4396
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1618729237292_a048fc488cf525b14bfa4d91c4016d08_RASMANCS
type: REG_DWORD
valuename: FileTracingMask
buffer: 4294901760
processid: 4396
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1618729237292_a048fc488cf525b14bfa4d91c4016d08_RASMANCS
type: REG_DWORD
valuename: ConsoleTracingMask
buffer: 1048576
processid: 4396
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1618729237292_a048fc488cf525b14bfa4d91c4016d08_RASMANCS
type: REG_DWORD
valuename: MaxFileSize
buffer: %windir%\tracing\x00
processid: 4396
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1618729237292_a048fc488cf525b14bfa4d91c4016d08_RASMANCS
type: REG_EXPAND_SZ
valuename: FileDirectory
buffer: 0
processid: 4396
szSubkey: HKEY_USERS\S-1-5-21-3531488231-4160719598-983141384-500\Software\Microsoft\windows\CurrentVersion\Internet Settings
type: REG_DWORD
valuename: ProxyEnable
buffer: F\x00\x00\x00\x05\x01\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x90{\x81\xfe\xe9"\xd4\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\xc0\xa88\xc9\x00\x00\x00\x00\x00\x00\x00\x00+00\x9d\x19\x00/C:\\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00t\x001\x00\x00\x00\x00\x00hKGD\x11\x00Users\x00`\x00\x08\x00\x04\x00\xef\xbe\xee:\x85\x1ahKGD*\x00\x00\x00\xe6\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x006\x00\x00\x00\x00\x00U\x00s\x00e\x00r\x00s\x00\x00\x00@\x00s\x00h\x00e\x00l\x17\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\xc4\x97z\x90\x8f\x9e\x8fu\x0b\x00\x00\x00\x00\x00\x00\x14\x00`\x001\x00\x00\x00\x00\x00pKZ/\x10\x00ADMINI~1\x00\x00H\x00\x08\x00\x04\x00\xef\xbehKGDpKZ
processid: 4396
szSubkey: HKEY_USERS\S-1-5-21-3531488231-4160719598-983141384-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
type: REG_BINARY
valuename: SavedLegacySettings
buffer: 1
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecisionReason
buffer: \x00Z\xba\xdbu4\xd7\x01
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 3
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecision
buffer: 网络 2
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_SZ
valuename: WpadNetworkName
buffer: 1
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecisionReason
buffer: \x00Z\xba\xdbu4\xd7\x01
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 3
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecision
buffer: F\x00\x00\x00\x0e\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x14\xf7\xb7u4\xd7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\xc0\xa88\xd0\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x11\x00\x00\x00\x10\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00 \x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xea\x03\x00\x00 \x06\x02\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xa0\x1a\x0f\xe7\x8b\xab\xcf\x11\x8c\xa3\x00\x80_H\xa1\x92\x17\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00((\xe2\x91dY\x8fP\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
processid: 4396
szSubkey: HKEY_USERS\S-1-5-21-3531488231-4160719598-983141384-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
type: REG_BINARY
valuename: DefaultConnectionSettings
buffer: {42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
type: REG_SZ
valuename: WpadLastNetwork
buffer: 0
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
type: REG_DWORD
valuename: UNCAsIntranet
buffer: 1
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
type: REG_DWORD
valuename: AutoDetect
buffer: 0
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
type: REG_DWORD
valuename: UNCAsIntranet
buffer: 1
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
type: REG_DWORD
valuename: AutoDetect
buffer: 1
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecisionReason
buffer: \x80\x08`kv4\xd7\x01
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 0
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecision
buffer: 网络 2
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_SZ
valuename: WpadNetworkName
buffer: 1
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecisionReason
buffer: \x80\x08`kv4\xd7\x01
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 0
processid: 4396
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecision

 Behavior_analysis

message: 恶意软件访问多个域名,进行蠕虫传播或ddos攻击
name: 访问多个域名
szSubkey:
score: 3
message: 企图通过长时间休眠躲避沙箱检测
name: 长时间休眠
szSubkey:
score: 2

 Dropped_Save

analysis_result: 安全
create: 0
how: write
md5: d99b79ae9d7124f9a45fb35d6ddc3493
name: DLG9A8.tmp
new_size: 25KB (25728bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\DLG9A8.tmp
processid: 4396
processname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
sha1: 5cf8a701dcd0503d7a1a3d736bb70e9b1d5e0d9e
sha256: 6670fb9e498e961ce702ad7142cdf5529d646a2db9cfaa59a0f21557aceac481
size: 25728
this_path: /data/cuckoo/storage/analyses/7000055/files/1000/DLG9A8.tmp
type: data
analysis_result: 安全
create: 0
how: write
md5: 69e4fb88f38472e651f3b4169879c47f
name: DLG-Product-Logo.png
new_size: 2599bytes
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\DLG\dlgres\DLG-Product-Logo.png
processid: 4396
processname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
sha1: b5ac25ecf94344196f5cc3f8b0dd4b863fb73182
sha256: bd284633e72034f963ae0db7bbf7714cd735dcb51d905969f1d8b03b73952033
size: 2599
this_path: /data/cuckoo/storage/analyses/7000055/files/1001/DLG-Product-Logo.png
type: PNG image data, 60 x 60, 8-bit/color RGBA, non-interlaced
analysis_result: 安全
create: 0
how: write
md5: bf4625507c1d35caabdb3e9d9ba584a0
name: style.css
new_size: 1519bytes
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\DLG\initWindow\css\style.css
processid: 4396
processname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
sha1: a66e8e8db0043d182a45ce9546592ee0e1304781
sha256: 491accafcf5a3997fd2b8b6d3a91153773db8ca0df10b248a19ee51516c403a8
size: 1519
this_path: /data/cuckoo/storage/analyses/7000055/files/1002/style.css
type: assembler source, ASCII text, with CRLF line terminators
analysis_result: 安全
create: 0
how: write
md5: a0ee32dc4ffc79fdef2dc0467da538c5
name: noconnection.html
new_size: 2619bytes
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\DLG\initWindow\noconnection.html
processid: 4396
processname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
sha1: 15d78592ac2c313a52d3c22783aae9bb4c787182
sha256: b4508b7dcc08b2b93cd64bee68bd5174fe48f48280e59f9a81d4861c3ef0431d
size: 2619
this_path: /data/cuckoo/storage/analyses/7000055/files/1003/noconnection.html
type: HTML document, UTF-8 Unicode text, with CRLF line terminators
analysis_result: 安全
create: 0
how: write
md5: 2c68017c4ea6ee541e285aaae8840ba9
name: progress.html
new_size: 1080bytes
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\DLG\initWindow\progress.html
processid: 4396
processname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
sha1: f1255d0203df8e23af4a568c2de5e6762dd49d96
sha256: 6c926310dc1495ef47e07efd9b695f34c7d4f755fa011cd73455b5e4ed93898b
size: 1080
this_path: /data/cuckoo/storage/analyses/7000055/files/1004/progress.html
type: HTML document, ASCII text, with CRLF line terminators
analysis_result: 安全
create: 0
how: write
md5: 002ab0273d3f8f0575a09dc4392b1905
name: loadingImage.bmp
new_size: 1782KB (1825254bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\DLG\loadingImage\loadingImage.bmp
processid: 4396
processname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
sha1: b96c8394bf6ae5fb3abe8b4c2a6d0fe3c3d31303
sha256: 57f3c81751562f8327a62e3381b93367755a2dddc18becc6fedefe6ca6554d63
size: 1825254
this_path: /data/cuckoo/storage/analyses/7000055/files/1005/loadingImage.bmp
type: PC bitmap, Windows 3.x format, 5850 x 78 x 32
analysis_result: 安全
create: 0
how: move
md5: 5adfb2b91b3bcf6961f2b68d172c9969
name: uifile.zip
new_size: 96KB (98679bytes)
operation: 拷贝覆盖文件
path: C:\Users\Administrator\AppData\Local\Temp\DLG\ui\offers\e7897d55b76a861e21cb37580d296be2\uifile.zip
processid: 4396
processname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
sha1: a2759aedcb20c12ae9ed1b39ee0e137064c97fe9
sha256: 4bfaa405b3450ee70527d1018ee23a58bf5e2526a0589b590751ace3b040c1e4
size: 98679
this_path: /data/cuckoo/storage/analyses/7000055/files/1006/uifile.zip
type: Zip archive data, at least v2.0 to extract
analysis_result: 安全
create: 0
how: write
md5: 1dba20bced03870623c25d5bebaf51d1
name: index.html
new_size: 3024bytes
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\DLG\ui\offers\e7897d55b76a861e21cb37580d296be2\index.html
processid: 4396
processname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
sha1: d8fe09e9cf90a758d5955c8a6756bcb2dfdef0d1
sha256: 39f3b11a35c90eb369c4f8bd5acff1d1c4c9ea9c0ca93ce6eb032b2f371b7f76
size: 3024
this_path: /data/cuckoo/storage/analyses/7000055/files/1007/index.html
type: HTML document, ASCII text, with CRLF line terminators
analysis_result: 安全
create: 0
how: write
md5: f03e619f09f49dbcd4ec035eae355d6f
name: style.css
new_size: 2746bytes
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\DLG\ui\offers\e7897d55b76a861e21cb37580d296be2\css\style.css
processid: 4396
processname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
sha1: d8f8ec242126010bb9422e28d2086b4173abfcf3
sha256: ce57610e5a5b2eeb9e2379e82f7ac5fc5f97640f42638b3fe3602c11d5ca7893
size: 2746
this_path: /data/cuckoo/storage/analyses/7000055/files/1008/style.css
type: assembler source, ASCII text, with CRLF line terminators
analysis_result: 安全
create: 0
how: write
md5: 1d044e7ccf127f8f68c5eaa98d80c856
name: img1.png
new_size: 52KB (54240bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\DLG\ui\offers\e7897d55b76a861e21cb37580d296be2\img\img1.png
processid: 4396
processname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
sha1: a98a3a59764489784f0f7866413e85729bf90f10
sha256: 83976767c46c62486cfef6cf3f5cd3ce66960c1e8a8d263b89dbb04183947373
size: 54240
this_path: /data/cuckoo/storage/analyses/7000055/files/1009/img1.png
type: PNG image data, 164 x 314, 8-bit/color RGB, non-interlaced
analysis_result: 安全
create: 0
how: write
md5: e6ecc7ea173e1a11774b8d2ef33da497
name: progress-bar.png
new_size: 17KB (17879bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\DLG\ui\offers\e7897d55b76a861e21cb37580d296be2\img\progress-bar.png
processid: 4396
processname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
sha1: 2498dfac57f97ec6e14a7b30ea984cd18a41d25d
sha256: 8cf5ba182438452512e370053cf92775c1c0e1e8424c1d046bcee17cc02502fe
size: 17879
this_path: /data/cuckoo/storage/analyses/7000055/files/1010/progress-bar.png
type: PNG image data, 417 x 21, 8-bit grayscale, non-interlaced
analysis_result: 安全
create: 0
how: write
md5: 4fee4a9ad49cc57c8e44b729b70f0f33
name: progress.png
new_size: 18KB (18751bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\DLG\ui\offers\e7897d55b76a861e21cb37580d296be2\img\progress.png
processid: 4396
processname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
sha1: 293d7ee9b1b893150d38b00eeedce82170c46815
sha256: f7d41eb86d079b63da2fadf7bb705e51605aecb92385c275bbaaabb527226265
size: 18751
this_path: /data/cuckoo/storage/analyses/7000055/files/1011/progress.png
type: PNG image data, 417 x 21, 8-bit/color RGBA, non-interlaced
analysis_result: 安全
create: 0
how: write
md5: 11468602df014a21b203dc9bcd84d369
name: jquery-1.10.2.min.js
new_size: 90KB (93113bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\DLG\ui\offers\e7897d55b76a861e21cb37580d296be2\js\jquery-1.10.2.min.js
processid: 4396
processname: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
sha1: 2cf8733fe01e2d149140cb840595fa5d21769f93
sha256: 29c9e8752f25b17961e3c6ff72de34b1f1a157dfc5fabb68bd148b8ec9002b17
size: 93113
this_path: /data/cuckoo/storage/analyses/7000055/files/1012/jquery-1.10.2.min.js
type: ASCII text, with very long lines, with CRLF line terminators

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 381
process_id: 4396
process_name: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
rulename: 调用加密算法库
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 436
process_id: 4396
process_name: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过重新写入数据到新创建的进程,以达到逃避杀毒软件检测的目的
num: 722
process_id: 4396
process_name: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
rulename: 进程数据重写(使用内存映射方式)
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意程序通过创建网络连接的方式,以达到通过网络连接进行通信的目的
num: 1168
process_id: 4396
process_name: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
rulename: 创建网络套接字连接
attck_tactics: 命令与控制
level: 1
matchedinfo: 恶意程序可能连接非常规端口网络连接进行数据偷取操作
num: 1185
process_id: 4396
process_name: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
rulename: 连接本地地址127.0.0.1
attck_tactics: 持久化
level: 1
matchedinfo: 恶意程序通过打开服务控制管理器(Service Control Manager),以达到对服务进行控制的目的
num: 1398
process_id: 4396
process_name: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
rulename: 打开服务控制管理器
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 1437
process_id: 4396
process_name: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
rulename: 遍历文件
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 1477
process_id: 4396
process_name: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
rulename: 打开其他线程
attck_tactics: 持久化
level: 1
matchedinfo: 恶意程序通过写入注册表,以达修改用户修改代理
num: 1492
process_id: 4396
process_name: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
rulename: 修改浏览器代理
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过调用关键api的获取系统的用户名,以达到收集用户信息的目的
num: 1500
process_id: 4396
process_name: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
rulename: 获取当前用户名
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过获取用户网卡信息的方式,以达到获取敏感信息的目的
num: 1801
process_id: 4396
process_name: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
rulename: 收集电脑网卡信息
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序会使用Post方式发送数据
num: 2464
process_id: 4396
process_name: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
rulename: 使用Post方式发送数据
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序会使用Get方式请求(或发送)配置文件
num: 3018
process_id: 4396
process_name: 1618729237292_a048fc488cf525b14bfa4d91c4016d08.exe
rulename: 使用Get方式请求数据