VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00神笔马良
file size: 3075296
file type: application/x-dosexec
MD5: eaffb94f5bcd751ff16eec0d6a3109cb
sha1: 995ff82940e5cf599d97e036ba635b46129d3669

 CreateProcess

ApplicationName:
CmdLine: "C:\Users\ADMINI~1\AppData\Local\Temp\is-RUIO9.tmp\1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp" /SL5="$90198,2691426,140800,C:\Users\Administrator\AppData\Local\Temp\1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.exe"
childid: 608
childname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
childpath: C:\Users\Administrator\AppData\Local\Temp\is-RUIO9.tmp\1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
drop_type: 2
name: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.exe
pid: 1812
ApplicationName:
CmdLine:
childid: 1812
childname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.exe
drop_type:
name:
noNeedLine:
path:
pid: 2484
ApplicationName:
CmdLine:
childid: 1304
childname: explorer.exe
childpath: C:\Windows\explorer.exe
drop_type:
name:
noNeedLine:
path:
pid: 1256

 Summary

buffer: `\x02\x00\x00\x0e1\x97W@E\xd7\x01
processid: 608
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
type: REG_BINARY
valuename: Owner
buffer: \x89\xdf\x8c+T\xa9v[\xa1\x951\x17L\xc5\xebM\x0c\xe3_\x14\x00\xb9\xc7\xf7\x0bX\xedM\xcc)q\xc8
processid: 608
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
type: REG_BINARY
valuename: SessionHash
buffer: 1
processid: 608
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
type: REG_DWORD
valuename: Sequence
buffer: C:\Program Files (x86)\FahecaZbo\temidamel\Pugefi.exe\x00\x00
processid: 608
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
type: REG_MULTI_SZ
valuename: RegFiles0000
buffer: \x1em\xc2\x87\xeb\xd7nj\x9d*a&\xc4K'4\xda\xc4\xa4\xb2j%\xd9\xc4\xdd{\x87-\x88 \xf7\x93
processid: 608
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
type: REG_BINARY
valuename: RegFilesHash
buffer: 5.5.0 (u)
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_SZ
valuename: Inno Setup: Setup Version
buffer: C:\Program Files (x86)\FahecaZbo
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_SZ
valuename: Inno Setup: App Path
buffer: C:\Program Files (x86)\FahecaZbo\
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_SZ
valuename: InstallLocation
buffer: FahecaZbo
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_SZ
valuename: Inno Setup: Icon Group
buffer: Administrator
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_SZ
valuename: Inno Setup: User
buffer: default
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_SZ
valuename: Inno Setup: Language
buffer: FahecaZbo version 1.7
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_SZ
valuename: DisplayName
buffer: C:\Program Files (x86)\FahecaZbo\temidamel\Pugefi.exe
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_SZ
valuename: DisplayIcon
buffer: "C:\Program Files (x86)\FahecaZbo\unins000.exe"
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_SZ
valuename: UninstallString
buffer: "C:\Program Files (x86)\FahecaZbo\unins000.exe" /SILENT
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_SZ
valuename: QuietUninstallString
buffer: 1.7
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_SZ
valuename: DisplayVersion
buffer: 1
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_DWORD
valuename: NoModify
buffer: 1
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_DWORD
valuename: NoRepair
buffer: 20210510
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_SZ
valuename: InstallDate
buffer: 1
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_DWORD
valuename: MajorVersion
buffer: 7
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_DWORD
valuename: MinorVersion
buffer: 18759
processid: 608
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FahecaZbo_is1
type: REG_DWORD
valuename: EstimatedSize
buffer: \x13\x00\x00\x00\xc3S[bH\xab\xc1N\xba\x1f\xa1\xefAF\xfc\x19\x00\x80\x00\x00\x00~\x001\x00\x00\x00\x00\x00hKKD\x11\x00Programs\x00\x00f\x00\x08\x00\x04\x00\xef\xbehKGDhKKD*\x00\x00\x00\xa6\x0c\x01\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00<\x00\x00\x00\x00\x00P\x00r\x00o\x00g\x00r\x00a\x00m\x00s\x00\x00\x00@\x00s\x00h\x00e\x00l\x00l\x003\x002\x00.\x00d\x00l\x00l\x00,\x00-\x002\x001\x007\x008\x002\x00\x00\x00\x18\x00\x00\x00\x01\x12\x02\x00\x00\x10\x022\x00* \x00\x00hKxF \x00GOOGLE~1.LNK\x00\x00P\x00\x08\x00\x04\x00\xef\xbehKxFhKxF*\x00\x00\x00\xe8@\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00G\x00o\x00o\x00g\x00l\x00e\x00 \x00C\x00h\x00r\x00o\x00m\x00e\x00.\x00
processid: 1304
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
type: REG_BINARY
valuename: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache

 Behavior_analysis

message: 企图通过长时间休眠躲避沙箱检测
name: 长时间休眠
szSubkey:
score: 2

 Dropped_Save

analysis_result: 安全
create: 0
how: del
md5: 4ff75f505fddcc6a9ae62216446205d9
name: _setup64.tmp
new_size: 6144bytes
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\Temp\is-AK2U6.tmp\_isetup\_setup64.tmp
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: efe32d504ce72f32e92dcf01aa2752b04d81a342
sha256: a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
size: 6144
this_path: /data/cuckoo/storage/analyses/1000524/files/4490194230/_setup64.tmp
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: 安全
create: 0
how: del
md5: 92dc6ef532fbb4a5c3201469a5b5eb63
name: _shfoldr.dll
new_size: 22KB (23312bytes)
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\Temp\is-AK2U6.tmp\_isetup\_shfoldr.dll
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: 3e89ff837147c16b4e41c30d6c796374e0b8e62c
sha256: 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
size: 23312
this_path: /data/cuckoo/storage/analyses/1000524/files/7389266903/_shfoldr.dll
type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: del
md5: eeede3f88b35f1f850b1516b596d3e28
name: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
new_size: 1133KB (1160704bytes)
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\Temp\is-RUIO9.tmp\1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
processid: 1812
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.exe
sha1: f13e556a1cbb353889b13bc62bb8837080f47c5a
sha256: 4f31c4ebd07b060752c49cd8bda5e53144fdc3f0a15e8e942a4a7cc053cd323c
size: 1160704
this_path: /data/cuckoo/storage/analyses/1000524/files/4857250426/1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
type: PE32 executable (GUI) Intel 80386, for MS Windows
analysis_result: 安全
create: 0
how: move
md5: 75406237fa181ead7b64d13672a6826b
name: unins000.exe
new_size: 1155KB (1183089bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\unins000.exe
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: a33149c647b234c18930da276e4e0a32170e6b34
sha256: 12309c696a89727e4d12ebab87522b9a936ac8ccd9e1e32227c3e550b0f56942
size: 1183089
this_path: /data/cuckoo/storage/analyses/1000524/files/1000/unins000.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows
analysis_result: 安全
create: 0
how: move
md5: 6c5fe96b3d738ee751c834dfdbb449be
name: Fuferef.cpp
new_size: 1087KB (1114109bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\Fuferef.cpp
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: 4f3e3d1b086140098e354ac451e2611cae3aee4b
sha256: c93badd756319c8e066ab309d7775eaa52c30dbf129073edfd56bb18c61606ee
size: 1114109
this_path: /data/cuckoo/storage/analyses/1000524/files/1001/Fuferef.cpp
type: data
analysis_result: 安全
create: 0
how: move
md5: 67e3be38cbb133af826a8af0fbe35475
name: Mafoceme.txt
new_size: 1151KB (1179645bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\Mafoceme.txt
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: 6deead4c1c8f90d79cb1f10645bb12b14fcc76ef
sha256: 3c1cb71cfc7d6b6b06e77b153733c42e0b1ff49539c1b0f9cfa658c464f320b3
size: 1179645
this_path: /data/cuckoo/storage/analyses/1000524/files/1002/Mafoceme.txt
type: data
analysis_result: 安全
create: 0
how: move
md5: 711ff5da0b269551499d8ed71351e2ca
name: Pomokabeg.log
new_size: 1535KB (1572861bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\Pomokabeg.log
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: cb639766605291c352451a1c3e61d67997bfec6f
sha256: 9b5cdceec1c4fec110e1577a03c39327c284db90b2cf7e458d055adb7688a618
size: 1572861
this_path: /data/cuckoo/storage/analyses/1000524/files/1003/Pomokabeg.log
type: data
analysis_result: 安全
create: 0
how: move
md5: 75a3ccfe17a51b4a9cd68445abe7f4cd
name: Setap.wpd
new_size: 2047KB (2097149bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\Setap.wpd
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: de39abbdafd37cd670218b24a49f842180a9aedf
sha256: 3867711a0b176428f47cad3b3d14841050b379632fd804523ee4789145c7e7ce
size: 2097149
this_path: /data/cuckoo/storage/analyses/1000524/files/1004/Setap.wpd
type: data
analysis_result: 安全
create: 0
how: move
md5: d0643781e8bf5d36b03a4db05cab8dad
name: Barehotahog.srt
new_size: 1215KB (1245181bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\temidamel\Barehotahog.srt
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: 728a9c25f758aaa941ec31dfdae91029664f2fda
sha256: 6a881d01097f39647feab80efa252eee70e0b38449ced493ee0cb341c14a36d1
size: 1245181
this_path: /data/cuckoo/storage/analyses/1000524/files/1005/Barehotahog.srt
type: data
analysis_result: 安全
create: 0
how: move
md5: 8e5dde8fa56a75e4a500e7852eb98a9d
name: Cobadusegune.ppt
new_size: 1791KB (1835005bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\temidamel\Cobadusegune.ppt
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: ac4820698b502959738bd7d38643d2d506581938
sha256: 6e958e9b5054142fcb550a86a2d12cca73e073da7a1d8f0ea96f106e7c3903a4
size: 1835005
this_path: /data/cuckoo/storage/analyses/1000524/files/1006/Cobadusegune.ppt
type: data
analysis_result: 安全
create: 0
how: move
md5: c137a61bc2d096a8adc566142250fd92
name: Hekihuhices.doc
new_size: 1279KB (1310717bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\temidamel\Hekihuhices.doc
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: ede61b830800031ced7cb95d4e011a5af263c87a
sha256: 97bb128e116b764aa5bf99aab0f0d9a2ae54b95655e1c4e18e2983d0b844bc36
size: 1310717
this_path: /data/cuckoo/storage/analyses/1000524/files/1007/Hekihuhices.doc
type: data
analysis_result: 安全
create: 0
how: move
md5: 11b4cde4d55427c1f690e3b80e4ea999
name: Ledekolo.bo
new_size: 1407KB (1441789bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\temidamel\Ledekolo.bo
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: e4674663acb0bdc8d2c0fbb010b4936dde11fa74
sha256: adfe5c65cbe34da02554a8ad8753c7704d436917198e5e41779a81ed24ca848a
size: 1441789
this_path: /data/cuckoo/storage/analyses/1000524/files/1008/Ledekolo.bo
type: data
analysis_result: 安全
create: 0
how: move
md5: 09659050303d798be8cfd79f45dc854c
name: Mecur.srt
new_size: 1791KB (1835005bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\temidamel\Mecur.srt
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: 4bb4d18411f46983f4af3eaaf5c2d8972fecc893
sha256: a8b1cdd256bab27fbd8062400fa555b58286488137826df07df9b9d0c8ba2bd5
size: 1835005
this_path: /data/cuckoo/storage/analyses/1000524/files/1009/Mecur.srt
type: data
analysis_result: 安全
create: 0
how: move
md5: b803c6fcd22a02a106b18308a836f933
name: Mepepole.mp3
new_size: 1663KB (1703933bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\temidamel\Mepepole.mp3
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: 1522ebce4a448ba21e64db41c7854f6fed597407
sha256: 7e467d46b0653f6508074d621aeb16a9e0b96372ba335e923130655331c067a2
size: 1703933
this_path: /data/cuckoo/storage/analyses/1000524/files/1010/Mepepole.mp3
type: data
analysis_result: 安全
create: 0
how: move
md5: d3bc535e7062f9f68692fd271183ad9c
name: Mesunelosero.xml
new_size: 1279KB (1310717bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\temidamel\Mesunelosero.xml
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: a8abd39fa2e1ff83522db7f804428e8b147a8e84
sha256: 895cd4ecb3872b4a32a7398741f6f1c1c53bcf8f3c3fc410ec11beacde72e507
size: 1310717
this_path: /data/cuckoo/storage/analyses/1000524/files/1011/Mesunelosero.xml
type: data
analysis_result: 安全
create: 0
how: move
md5: 7fb383d2e1d8396734c662b3c9931341
name: Pugefi.exe
new_size: 25KB (26275bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\temidamel\Pugefi.exe
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: 1236fb283bd85f13a660ddfcfb00fd591b826ff0
sha256: 4058ce7e0a3431db6a5583a8b0e00aab9143ff951d6fb472173c44707ff8ece1
size: 26275
this_path: /data/cuckoo/storage/analyses/1000524/files/1012/Pugefi.exe
type: PE32 executable (Unknown subsystem 0x948a) Unknown processor type 0x0, for MS Windows
analysis_result: 安全
create: 0
how: move
md5: d2acdd83b2331fbf3c0d27dc37523253
name: Sedokabado.com
new_size: 1343KB (1376253bytes)
operation: 拷贝覆盖文件
path: C:\Program Files (x86)\FahecaZbo\temidamel\Sedokabado.com
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: 1f7860d22f2aeeba1be9f4c93611a3f534391560
sha256: 706fbb7fda0c375334283fab6c8dabe70086c80ebf75b188fa9feaa628a02c80
size: 1376253
this_path: /data/cuckoo/storage/analyses/1000524/files/1013/Sedokabado.com
type: data
analysis_result: 安全
create: 0
how: write
md5: 293ff3be5058776be57bc98c58201f37
name: FahecaZbo.lnk
new_size: 1118bytes
operation: 修改文件
path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FahecaZbo\FahecaZbo.lnk
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: 436df52b673a9dd678b255cb0bc20a36ffe7e91d
sha256: 373040bdf71cebbc80a2a373c48dc4e6cc6f7c9df42b9337332d639405059892
size: 1118
this_path: /data/cuckoo/storage/analyses/1000524/files/1014/FahecaZbo.lnk
type: MS Windows shortcut
analysis_result: 安全
create: 0
how: write
md5: 028f249cacaa582ea9093efff9126fa3
name: unins000.dat
new_size: 3371bytes
operation: 修改文件
path: C:\Program Files (x86)\FahecaZbo\unins000.dat
processid: 608
processname: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
sha1: 7c96c2669f47a96e5c15c81b5c0df03bc49ea570
sha256: ceace1001048bb39c1064b414ad7a234889e803f0a7ed76d035b9e9e7ac1c14a
size: 3371
this_path: /data/cuckoo/storage/analyses/1000524/files/1015/unins000.dat
type: data

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 69
process_id: 1812
process_name: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 563
process_id: 1812
process_name: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.exe
rulename: 从资源段释放文件并运行
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 101
process_id: 608
process_name: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 136
process_id: 608
process_name: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 612
process_id: 608
process_name: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 2142
process_id: 608
process_name: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
rulename: 获取当前鼠标位置
attck_tactics: 持久化
level: 1
matchedinfo: 恶意程序通过打开服务控制管理器(Service Control Manager),以达到对服务进行控制的目的
num: 2690
process_id: 608
process_name: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
rulename: 打开服务控制管理器
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过调用关键api的获取系统的用户名,以达到收集用户信息的目的
num: 2752
process_id: 608
process_name: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
rulename: 获取当前用户名
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 3671
process_id: 608
process_name: 1620612036380_eaffb94f5bcd751ff16eec0d6a3109cb.tmp
rulename: 获取隐藏文件设置
attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 501
process_id: 1304
process_name: explorer.exe
rulename: 获取当前鼠标位置